Installing Suricata and Filebeat on Centos and Shipping Suricata Logs to Elastic SIEM

Installing Suricata and Filebeat on Centos and Shipping Suricata Logs to Elastic SIEM

Suricata is one such NIDS solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing Unix-like hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it integrates beautifully with Elastic SIEM.

For the full video tutorial go to the bottom of the post.

Change Root

sudo su -

Install Epel-release wget jq

yum -y install epel-release wget jq

Curl the following URL

curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo

Install Suricata

yum -y install suricata

Download the Suricata Rules

wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz

Extract Suricata Rules

tar zxvf emerging.rules.tar.gz

Remove the contents of the Directory that contains the initial rules

rm /etc/suricata/rules/* -f

Move the rules from the extract to the main directory

mv rules/*.rules /etc/suricata/rules/

Delete the suricata.yaml file

rm -f /etc/suricata/suricata.yaml

Download the suricata.yaml from this URL

wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml

Perform the following commands to get Suricata started

systemctl daemon-reload
systemctl enable suricata
systemctl start suricata

Test Suricata

Curl the following URL

curl http://testmyids.com

Check the Suricata log

tail -n1 /var/log/suricata/fast.log

The following should be the result

08/21/2020-22:56:10.249355  [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.2.12:43188 -> 31.3.245.133:80

Filebeat

For setting up the Filebeat please follow the directions at the following URL of your Elastic SIEM instance.

For my instance I used Elastic cloud.
https://<Elastic-SIEM-Instance>:9243/app/home#/tutorial/suricataLogs