Suricata / MongoDB / Splunk Installation

SuricataThe installation steps are outlined in Ubuntu 14 LTS minimal.

Before the installation of Suricata, FluentD and Mongo, perform the following:

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev

Download, configure and install Suricata:

wget http://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz
tar -xvzf suricata-2.0.5.tar.gz
cd suricata-2.0.5

./configure –prefix=/usr –sysconfdir=/etc –localstatedir=/var
make
sudo make install
sudo ldconfig

./configure && make && make install-full

By default, json logs are output to /var/log/suricata/eve.json

Download and install MongoDB

sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv 7F0CEB10
echo ‘deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen’ | sudo tee /etc/apt/sources.list.d/mongodb.list
sudo apt-get updatesudo
apt-get install -y mongodb-org
sudo service mongod start

Initial import can be completed by doing the following:

mongoimport –db filejsondb –collection filejson –file /var/log/suricata/eve.json

Optional:

The universal Splunkforwarder can be used for real-time ingest into Splunk.

Install the most recent forwarder and perform the following steps:

./splunk add forward-server ipaddress:9997

./splunk add monitor /var/log/suricata/eve.json