Skip to content

Latest commit

 

History

History
94 lines (75 loc) · 5.28 KB

details.md

File metadata and controls

94 lines (75 loc) · 5.28 KB
SuricataPi

Details

[Back to README.md]

This page shall give you some additional information on the configuration of SuricataPi, and help you to start customizing it. If you have created something new and cool, please contribute your change.

Contents

General

If you want to modify the SuricataPi, a good start is to read the standard guides of the tools used.

Suricata

[Back to Contents]

Most likely you might want to customize the loaded rules for Suricata. SuricataPi has only enabled some of the freely available rules. You can get the list of the freely available rules by calling:

suricata-update list-sources --free

To get a list of all enabled rules, call:

suricata-update list-sources --enabled
...
Enabled sources:
  - ptresearch/attackdetection
  - etnetera/aggressive
  - et/open

To enable additional rules, call:

sudo suricata-update enable-source <SOURCENAME>

Suricata is configured to write its output as Eve JSON Output to /var/log/suricata/eve.json. The next stage in the pipeline is logstash

Logstash

[Back to Contents]

The configuration for Logstash is done in /etc/logstash/conf.d/10-suricata.conf. The Logstash configuration has three blocks: Input -> Filter -> Output.

You most likely will not need to touch the Input and Output blocks, but might want to add filters to create additional data for your analysis or dashboards. You will find helpful information in Creating a Logstash pipeline and Filter plugins.

The output of Logstash is loaded into the elasticsearch data stream suricatapi-eve-json-stream.

Elasticsearch

[Back to Contents]

There is not much that SuricataPi configures for Elasticsearch. The default configuration is good enough. The only configuration done to Elasticsearch is:

limiting the Java heap size in

/etc/elasticsearch/jvm.options.d/suricatapi.options
-Xms256m
-Xmx256m

and disabling the security features in

/etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: false

If you want to change other settings for Elasticsearch, a good guide can be found here Configuring Elasticsearch. On top of Elasticsearch, Kibana is running for delivering the dashboards.

Kibana

[Back to Contents]

For Kibana, also the default configuration is good enough for SuricataPi. If you want to optimize anything here for whatever reason, see Configure Kibana. SuricataPi loads preconfigured dashboards into Kibana, which you can access via http://suricatapi:5601/app/dashboards. The available elements to base your own dashboards on are

  • suricatapi-eve-json-stream, the data stream which receives the eve.json data from Logstash
  • suricatapi-index-template, an index template, which maps the geoip.location contained in suricatapi-eve-json-stream as geo_point, so Kibana can use it
  • suricatapi-index-policy, an index lifecycle policy, which manages the lifecycle of the suricatapi-eve-json-stream data stream. It is configured to rollover every day to a new backing index and to delete any backing index if it is older than 14 days
  • suricatapi-data-view, the data view which finally gives your dashboards access to the data from suricatapi-eve-json-stream

For starting to create your own dashboards, a good read is Dashboard and visualizations. If you have created nice dashboards, please export your work following Manage saved objects and contribute them to SuricataPi.

[Back to README] [Back to top]