Comments on Suricata IDS with ELK and Web Frontend on Ubuntu 18.04 LTS

Can i use this solution in a 2 bridged nic?

Firstly, I wanted to thank you for such thorough instructions.  I have been looking for something like this for some time.  I have spent the day setting up a test environment to go through your instructions. 

I am stuck on the first step with the dependencies.  Specifically the libnetfilter-queue-dev dependency.  When I try to run “sudo apt -y install libnetfilter-queue-dev” I get the error “Unable to locate package libnetfilter-queue-dev”. 

I have been researching this for the last few hours with no luck.  If you could provide any direction, it would be greatly appreciated.

Many Thanks!

With regards to libnetfilter-queue-dev make sure you have all necessary sources enabled in apt. The paclage is listed on packages.ubuntu.com.

You can leave it out, I only added it to be thourough. You only need it when you want to compile your own version of Suricata.

Suricata can work with bridged interfaces. You have to list the correct interface name in the suricata config.

Thank's, i will use it with HAPROXY cluster, to secure my data center platform. Merci encore.

When following these instructions, I find that no Suricata directory got created in /var/lib. I found this when trying to give permissions to directories that suricata needed. Also looks like there are many option for suricata update and none are specified in the document (or not any that I see). 

It seems various sample configs here as not formatted correctly...

/etc/logstash/conf.d/10-input.conf: Missing file extension and closing quote on "GeoLite2-City" database line

/etc/logstash/conf.d/30-outputs.conf: Has excess closing curly bracket "}" on the index line

What is wrong ?

[2018-11-13T11:54:02,439][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.11.13", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x4f9e9d55>], :response=>{"index"=>{"_index"=>"logstash-2018.11.13", "_type"=>"doc", "_id"=>"_irrDGcBeiebjANt2FV6", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:339"}}}}

Newer filebeat versions are conflicting this issue, filebeat has its own field "host".

A possible workaround: edit the "mutate" section to remove the field "host":

 

    mutate {

      convert => [ "[geoip][coordinates]", "float" ]

      remove_field => [ "host" ]

    }

Maybe edit filebeat config is also possible to solve this issue, but i did not find the solution there yet.

When running the command:  apt -y install elasticsearch kibana logstash

it fails in the end because it is missing dependency JAVA

 

apt -y install elasticsearch kibana logstash

Please note under section "Scirius Installation" there is a typo:

"cd scirious" should be "cd scirius"

Should be a CR after [Install], have corrected below:[Unit] Description=Scirius Service After=multi-user.target Should be:[Service] Type=idle ExecStart=/usr/bin/python /opt/scirius/manage.py runserver > /var/log/scirius.log 2>&1 [Install] WantedBy=multi-user.target

Should be:

chmod 644 /lib/systemd/system/scirius.service systemctl daemon-reload systemctl enable scirius.service

I think before the command "python manage.py migrate" you need "sudo mkdir /var/log/scirius" at least I did

There's an error in:

apt -y install elasticseach kibana logstash

It shoud be:

apt -y install elasticsearch kibana logstash