This page shall give you some additional information on the configuration of SuricataPi, and help you to start customizing it. If you have created something new and cool, please contribute your change.
If you want to modify the SuricataPi, a good start is to read the standard guides of the tools used.
- Suricata: Suricata: Configuration
- Elastic Stack: Secure the Elastic Stack
- Logstash: Getting Started with Logstash
- Elasticsearch: Configuring Elasticsearch
- Kibana: Kibana Dashboard
Most likely you might want to customize the loaded rules for Suricata. SuricataPi has only enabled some of the freely available rules. You can get the list of the freely available rules by calling:
suricata-update list-sources --free
To get a list of all enabled rules, call:
suricata-update list-sources --enabled
...
Enabled sources:
- ptresearch/attackdetection
- etnetera/aggressive
- et/open
To enable additional rules, call:
sudo suricata-update enable-source <SOURCENAME>
Suricata is configured to write its output as Eve JSON Output to /var/log/suricata/eve.json
. The next stage in the pipeline is logstash
The configuration for Logstash is done in /etc/logstash/conf.d/10-suricata.conf
. The Logstash configuration has three blocks: Input -> Filter -> Output.
You most likely will not need to touch the Input and Output blocks, but might want to add filters to create additional data for your analysis or dashboards. You will find helpful information in Creating a Logstash pipeline and Filter plugins.
The output of Logstash is loaded into the elasticsearch data stream suricatapi-eve-json-stream
.
There is not much that SuricataPi configures for Elasticsearch. The default configuration is good enough. The only configuration done to Elasticsearch is:
limiting the Java heap size in
/etc/elasticsearch/jvm.options.d/suricatapi.options
-Xms256m
-Xmx256m
and disabling the security features in
/etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: false
If you want to change other settings for Elasticsearch, a good guide can be found here Configuring Elasticsearch. On top of Elasticsearch, Kibana is running for delivering the dashboards.
For Kibana, also the default configuration is good enough for SuricataPi. If you want to optimize anything here for whatever reason, see Configure Kibana. SuricataPi loads preconfigured dashboards into Kibana, which you can access via http://suricatapi:5601/app/dashboards. The available elements to base your own dashboards on are
suricatapi-eve-json-stream
, the data stream which receives theeve.json
data from Logstashsuricatapi-index-template
, an index template, which maps the geoip.location contained insuricatapi-eve-json-stream
as geo_point, so Kibana can use itsuricatapi-index-policy
, an index lifecycle policy, which manages the lifecycle of thesuricatapi-eve-json-stream
data stream. It is configured to rollover every day to a new backing index and to delete any backing index if it is older than 14 dayssuricatapi-data-view
, the data view which finally gives your dashboards access to the data fromsuricatapi-eve-json-stream
For starting to create your own dashboards, a good read is Dashboard and visualizations. If you have created nice dashboards, please export your work following Manage saved objects and contribute them to SuricataPi.