Setting up a network monitoring system using Suricata, Filebeat, Elasticsearch, Prometheus, and Grafana ensures comprehensive network security and performance analysis. This system helps detect intrusion attempts, monitor system performance, and visualize data for real-time decision-making.
Setup Monitoring System with Suricata, Elasticsearch, Prometheus, and Grafana
Overview of the Monitoring System
The monitoring system is built using the following key components:
- Suricata: A high-performance intrusion detection system (IDS) and intrusion prevention system (IPS).
- Filebeat: A lightweight log shipper that forwards Suricata’s log data to Elasticsearch.
- Elasticsearch: A powerful search and analytics engine for indexing and querying log data.
- Prometheus: A performance monitoring tool that tracks system resource usage.
- Grafana: A visualization platform for security alerts and system metrics.
Why Choose This System?
Choosing this setup allows you to:
- Detect intrusion attempts with Suricata, which excels at deep packet inspection and identifying suspicious activities.
- Easily collect and forward log data using Filebeat, which integrates smoothly with Elasticsearch.
- Analyze and visualize both network security and system performance data using Grafana, combining logs and metrics in real-time dashboards.
- Track performance with Prometheus, which focuses on system metrics like CPU, memory, and network usage.
System Requirements
To set up this monitoring system, the following hardware is needed:
- Kali Linux for attack simulation.
- Ubuntu 20.04 (4GB RAM, 4 cores, 30GB disk) for running Suricata, Filebeat, and Node Exporter.
- Ubuntu 20.04 (4GB RAM, 4 cores, 30GB disk) for running Elasticsearch, Prometheus, and Grafana.
Step-by-Step Installation
Installing Suricata
Start by updating the system:
sudo apt update && sudo apt upgrade
Install necessary prerequisites and the latest version of Suricata:
sudo apt-get install suricata jq
Configure Suricata to monitor network interfaces and apply rulesets for intrusion detection:
sudo gedit /etc/suricata/suricata.yaml
Configuring Filebeat
Download and install Filebeat, then configure it to forward logs to Elasticsearch:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.0-amd64.deb
sudo dpkg -i filebeat-8.15.0-amd64.deb
Setting Up Elasticsearch
Install Elasticsearch and configure it to handle Suricata logs:
sudo apt-get update && sudo apt-get install elasticsearch
Installing and Configuring Grafana
Install Grafana to visualize performance metrics and security events:
sudo apt-get install grafana-enterprise
Prometheus Installation
Install Prometheus to monitor system resources:
tar xvfz prometheus-2.53.2.linux-amd64.tar.gz
Demo Scenarios
Scenario 1: Detecting Reconnaissance Attacks with Nmap
Simulate an attack using Nmap from a Kali Linux machine and monitor Suricata alerts in Grafana:
nmap -sA -v 192.168.38.134
Scenario 2: Detecting DDoS Attacks with Hping3
Run a SYN flood attack using Hping3 and observe Suricata and Grafana‘s alerts and metrics:
hping3 -S -p 80 --flood 192.168.38.134
Conclusion
By setting up a monitoring system using Suricata, Filebeat, Elasticsearch, Prometheus, and Grafana, you can ensure your network is protected from security threats and monitor system performance in real-time. This system provides a robust, scalable, and easy-to-visualize solution for any cybersecurity professional.
