-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Tom Perso edited this page Feb 15, 2017
·
1 revision
Start with a standard Ubuntu 16.04 install
Let's install filebeat to ship logs to ELK
Digital Ocean has a good guide: https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-16-04
- Setup sniffing interface
auto ens192
iface ens192 inet static
address 0.0.0.0
netmask 0.0.0.0
up ip link set $IFACE promisc on
post-up ethtool -K $IFACE gro off
post-up ethtool -K $IFACE lro off
down ip link set $IFACE promisc off
down ifconfig $IFACE down
- Let's add the suricata PPA
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata oinkmaster
Now, let's configure oinkmaster, pull the oinkmaster.conf file from git and setup a crontab to execute every night
30 2 * * * oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Setup the suricata.yaml file to point to our sniffing interface and restart the service.
At this point, you should see the /var/log/suricata/eve.json file
Now, we need to update Filebeat's prospector to catch the json file:
filebeat:
prospectors:
-
paths:
- /var/log/suricata/*/eve.json
input_type: log
document_type: SuricataIDPS
Bro Install
- Add the Bro PPA:
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' >> /etc/apt/sources.list.d/bro.list"
wget http://download.opensuse.org/repositories/network:bro/xUbuntu_15.10/Release.key
sudo apt-key add — < Release.key
sudo apt-get update
sudo apt-get install bro