Installing Suricata - Paiet/SEC-440-Webmin GitHub Wiki

This tutorial will install Suricata IDS and ElasticStack on both an Arch and Ubuntu server. The various components of the stack are:

• Elasticsearch to store, index, correlate, and search the security events from the server.
• Kibana to display the logs stored in Elasticsearch (we'll be doing some weird things to get this to work/be managed within Webmin).
• Filebeat to parse Suricata's eve.json log file and send each event to Elasticsearch for processing.
• Suricata to scan the network traffic for suspicious events and drop the invalid packets.

The tutorial is divided into two parts, the first part will deal with installing and configuring Suricata, and the second part will deal with installing and configuring Elastic Stack.

Recommended Installs

sudo pacman -Syyu build-essential libpcap-dev   \
                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
                libcap-ng-dev libcap-ng0 make libmagic-dev         \
                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
                python-yaml rustc cargo libpcre2-dev

Commands for ptables/nftables IPS Integration

sudo pacman -Syyu libnetfilter-queue-dev libnetfilter-queue1  \
                libnetfilter-log-dev libnetfilter-log1      \
                libnfnetlink-dev libnfnetlink0

To Install Suricata

sudo add-pacman-repository ppa:oisf/suricata-stable
sudo pacman -Syyu
sudo pacman -Syyu suricata