Suricata is a free and open source, mature, fast and robust network threat detection engine.

Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the free and open Elastic Stack, it centrally stores your data for lightning fast search, fine-tuned relevancy, and powerful analytics that scale with ease.

Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to your favorite "stash."

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack so you can do anything from tracking query load to understanding the way requests flow through your apps.

Scirius is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.

Evebox is a web based alert and event management tool for events generated by the Suricata network threat detection engine.

Beats is the platform for single-purpose data shippers. They send data from hundreds or thousands of machines and systems to Logstash or Elasticsearch. There are several useful flavors.

• Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.
• Metricbeat collects metrics from your systems and services and is a lightweight way to send system and service statistics.
• Heartbeat monitors services for their availability with active probing.
• Auditbeat collects your Linux audit framework data and monitors the integrity of your files.

1. Download the SELKS, Debian-based *.iso here and install it in a VM
   • Create a VM (64-bit Debian template) using the *.iso downloaded from above
   • Create a disk that is at least 35GB
   • Create a second network adapter that is attached to VMnet1
   • Select the non-graphical install
   • Specify the first network adapter (e.g., ens33) as the primary network interface (Internet connected)
   • Specify the hostname as SELKS the domain for the primary network interface does not matter
2. Boot the new VM
   • default credentials are selks-user, selks-user
3. Install VMware tools and create shared folders
4. Shut the VM down and take a snapshot
5. Boot the VM again
6. Share a cloned copy of our NwSec repository with the VM
7. Run $ sudo config_networking.sh (this file), when it finishes VM reboots
8. Run $ sudo config_selks.sh (this file, when it finishes VM reboots
9. Rules management is via this page
10. Kibana access is via this page

1. From the VM, download the *.deb packages using $ ./downloadbeats.sh
2. From the VM, install Filebeat using `$ ./installbeats.sh -c -f
   • From the container, enable Filebeat modules (e.g., system) using # filebeat modules enable <MODULENAME>
3. From the VM, install Heartbeat using `$ ./installbeats.sh -c -H
4. From the VM, install Metricbeat using `$ ./installbeats.sh -c -m
5. From the VM, install Packetbeat using `$ ./installbeats.sh -c -p
6. To query versions, from the container, use:
   • $ sudo /usr/share/packetbeat/bin/packetbeat --version
   • $ sudo /usr/share/metricbeat/bin/metricbeat --version
   • $ sudo /usr/share/filebeat/bin/filebeat --version
   • $ sudo /usr/share/heartbeat/bin/heartbeat --version

It doesn't look like we can install Auditbeat in a Docker container. Install it to the VM instead.

1. $ curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.12.1-amd64.deb
2. $ sudo dpkg -i auditbeat-7.12.1-amd64.deb
3. $ cat /usr/share/auditbeat/README.md
4. Add the lines below to: /etc/auditbeat/auditbeat.yml

   
    setup.kibana:
      host: "http://selks.nwsecdocker.jhu.edu:5601"
   
    output.elasticsearch:
      hosts: ["selks.nwsecdocker.jhu.edu:9200"]
    

5. cd into /usr/share/auditbeat
6. $ sudo auditbeat setup --path.config /etc/auditbeat-c auditbeat.yml --dashboards -e
7. To query auditbeatversion, use: * $ sudo /usr/share/auditbeat/bin/auditbeat--version

1. In Kibana, go to Management->Stack Management
2. Select Index patterns
   • Create index patterns for aliases filebeat-7.12.1, heartbeat-7.12.1, metricbeat-7.12.1, packetbeat-7.12.1, and logstash-*
   • Each is created separately and should have @timestamp selected for their time field
3. Upload Dashboards for Beats
   • Note: it is only necessary to run once for each Beat type
   • From a beats host:
     • To import packetbeat dashboard: cd /usr/share/packetbeat && sudo packetbeat setup --path.config /etc/packetbeat -c packetbeat.yml --dashboards -e
     • To import metricbeat dashboard: cd /usr/share/metricbeat && sudo metricbeat setup --path.config /etc/metricbeat -c metricbeat.yml --dashboards -e
     • To import filebeat dashboard: cd /usr/share/filebeat && sudo filebeat setup --path.config /etc/filebeat -c filebeat.yml --dashboards -e
     • It doesn't look as if heartbeat has dashboards to import
     • To import auditbeat dashboard: cd /usr/share/auditbeat && sudo auditbeat setup --path.config /etc/auditbeat -c auditbeat.yml --dashboards -e

• Query elastic-stack components using:
  • logstash API: $ sudo curl -XGET 'selks.nwsecdocker.jhu.edu:9600/?pretty'
  • elasticsearch API: $ curl -XGET 'selks.nwsecdocker.jhu.edu:9200/_cluster/health?pretty'
  • logstash API: $ curl -XGET http://selks.nwsecdocker.jhu.edu:5601/status (use -I to view headers only)
• Troubleshoot receipt from collectors:
  • netflow input to logstash - $ sudo tcpdump -ni ens34 udp port 2055 -v
  • filebeat and metricbeat input to elasticsearch - $ sudo tcpdump -ni ens34 tcp port 9200 -v
• Verify components are listening on appropriate ports:
  • logstash - $ netstat -an | grep 9600
  • elasticsearch - $ netstat -an | grep 9200
  • kibana - $ netstat -an | grep 5601
• Version for elastic-stack components should match; to query versions for elastic-stack software components, use:
  • $ sudo /usr/share/kibana/bin/kibana -c /etc/kibana/kibana.yml --allow-root --version
  • $ sudo /usr/share/elasticsearch/bin/elasticsearch --version
  • $ sudo /usr/share/logstash/bin/logstash --version
• Clear out elasticsearch database using: $ sudo curl -X DELETE 'http://selks.nwsecdocker.jhu.edu:9200/_all'
• Default settings replicate shards; having only one cluster, duplicated shards will be unassigned and generate warnings; this is expected behavior and not an issue
• https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html

• https://github.com/StamusNetworks/SELKS
• https://molo.ch/faq#maxmind
• https://www.elastic.co/guide/en/logstash/current/netflow-module.html