userguide:web_interface_for_suricata

Web interface for Suricata on NethServer 7

Subtitle: How To install and configure Web interface on ELK stack for Suricata

Version and revision: V1.0 / R 0.0.

For Nethserver 7

Accessible to: Intermediate / Advanced / Developer

Date of presentation: 2016-09-14

Enable eve-log

config setprop suricata EveLog yes
signal-event nethserver-suricata-update

Install ELK stack

How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on NethServer 7

Configure Logstash

Edit Logstash configuration file 

vi /etc/logstash/conf.d/logstash.conf
input {
  file {
    path => ["/var/log/suricata/eve.json"]
    codec => json
    type => "eve-json"
    add_field => ["engine", "suricata"]
    sincedb_path => "/tmp/.sincedb_eve"
  }
}

filter {

  if [type] == "eve-json" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }

  if [event_type] == "alert" {
    mutate {
      add_tag => ["inbox"]
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
}

output {
 stdout {
   codec => rubydebug
 }
  elasticsearch {}
}
systemctl restart logstash

Kibana Templates for Suricata

You can find Kibana templates here https://github.com/StamusNetworks/KTS. To get them work, you need to install the timelion plug-in of kibana via the following command 

/opt/kibana/bin/kibana plugin -i elastic/timelion

EveBox

To launch EveBox, download it and execute it: 

cat > /etc/yum.repos.d/evebox.repo << EOF
[bintraybintray-jasonish-evebox-development-rpm-x86_64]
name=bintray-jasonish-evebox-development-rpm-x86_64
baseurl=https://dl.bintray.com/jasonish/evebox-development-rpm-x86_64
gpgcheck=0
repo_gpgcheck=0
enabled=1
EOF
yum -y install evebox
systemctl start evebox

To start EveBox at boot 

systemctl enable evebox

Open EveBox port from local networks: 

config set fw_evebox service status enabled TCPPort 5636 access private
signal-event firewall-adjust

Scirius

Scirius https://github.com/StamusNetworks/scirius is a web interface dedicated to Suricata ruleset management 

yum -y install python-pip python-devel git gcc
git clone https://github.com/StamusNetworks/scirius.git
cd scirius/

Install required python modules 

pip install -r requirements.txt
pip install pyinotify
pip install gitdb
python manage.py syncdb
python manage.py runserver
python manage.py runserver 0.0.0.0:8000

Open Scirius port from local networks: 

config set fw_scirius service status enabled TCPPort 8000 access private
signal-event firewall-adjust

Delete Network Services [if the Webinterface not work or not be liked] 

config delete fw_evebox
config delete fw_scirius
config delete fw_kibana
,
  • userguide/web_interface_for_suricata.txt
  • Last modified: 2017/06/05 19:52
  • by Aaron