Suricata IDS - monitoring

Help on building IPFire & Feature Requests
Post Reply
Hellfire
Posts: 697
Joined: November 8th, 2015, 8:54 am

Suricata IDS - monitoring

Post by Hellfire » May 4th, 2019, 7:26 pm

Hi,

will the new IDS Suricata on IPFire have any graphical logs as shown on https://suricata-ids.org/features/ below paragraph "Industry standard outputs"? Or is this subject ot 3rd party tools as mentioned on that website?

Michael
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Suricata IDS - monitoring

Post by Arne.F » May 6th, 2019, 8:44 am

Industry standard outputs

With 2.0 we introduced “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.
"This allows" not mean that is included in suricata. Suricata in IPFire has similar log output like snort.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

lenny
Posts: 406
Joined: October 4th, 2011, 12:47 pm

Re: Suricata IDS - monitoring

Post by lenny » May 20th, 2019, 6:49 am

Shows the new IPS, if a client or IP is blocking?

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Suricata IDS - monitoring

Post by ummeegge » May 20th, 2019, 4:57 pm

Hi all,
Arne.F wrote:
May 6th, 2019, 8:44 am
With 2.0 we introduced “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.
Evebox --> https://evebox.org/ is interesting in my opinion but Suricata on IPFire currettly lacks with support for logging in JSON format. Have tried it which needs additionally

Code: Select all

		--with-libjansson-libraries=/usr/lib \
		--with-libjansson-includes=/usr/include \
in Suricata LFS. Since Jansson is already available in IPFire there is nevertheless the need to reorder it in make.sh before Suricata and after recompile with the new compiletime settings and with a first try with the already integrated Sqlite DB in Evebox (no Elasticsearch) suricata.yaml needed some eve related entries. Have tried it with that one:

Code: Select all

--- /etc/suricata/suricata.yaml.orig	2019-05-19 09:19:17.548041147 +0200
+++ /etc/suricata/suricata.yaml	2019-05-19 18:08:50.668307026 +0200
@@ -87,6 +87,23 @@
       totals: yes       # stats for all threads merged together
       threads: no       # per thread stats
       #null-values: yes  # print counters that have value 0
+  - eve-log:
+      enabled: yes
+      type: file #file|syslog|unix_dgram|unix_stream
+      filename: eve.json
+      types:
+        - alert
+        - http:
+            extended: yes     # enable this for extended logging information
+        - dns
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            force-md5: no     # force logging of md5 checksums
+        #- drop
+        - ssh
+

which seems to work good for more e.g. --> https://suricata.readthedocs.io/en/suri ... utput.html. Used the Evebox binary since it is written in Go and IPFire can´t currently compile Go sources. Beneath some smaller beside work the following command

Code: Select all

./evebox -v -D /var/evebox --datastore sqlite --input /var/log/suricata/eve.json
points the following out

Code: Select all

2019-05-20 18:48:00 (evebox.go:114) <Info> -- No command provided, defaulting to server.
2019-05-20 18:48:00 (server.go:178) <Info> -- This is EveBox Server version 0.10.2 (rev: 56b673c); os=linux, arch=amd64
2019-05-20 18:48:00 (server.go:267) <Info> -- Self test: found embedded index.html.
2019-05-20 18:48:00 (geoip.go:115) <Debug> -- Loading geoip database /etc/evebox/GeoLite2-City.mmdb
2019-05-20 18:48:00 (configdb.go:59) <Info> -- Using configuration database file /var/evebox/config.sqlite
2019-05-20 18:48:00 (migrator.go:66) <Debug> -- Current database schema version: 1
2019-05-20 18:48:00 (sqlite.go:140) <Info> -- Configuring SQLite datastore
2019-05-20 18:48:00 (sqlite.go:146) <Info> -- SQLite event store using file /var/evebox/events.sqlite
2019-05-20 18:48:00 (sqlite.go:60) <Debug> -- Opening SQLite database /var/evebox/events.sqlite
2019-05-20 18:48:00 (migrator.go:66) <Debug> -- Current database schema version: 2
2019-05-20 18:48:00 (sqlite.go:94) <Info> -- Retention period: 0 days
2019-05-20 18:48:00 (server.go:464) <Info> -- Configuring internal eve log reader
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 22 rules from /var/lib/suricata/botcc.portgrouped.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 251 rules from /var/lib/suricata/botcc.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 100 rules from /var/lib/suricata/ciarmy.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/compromised.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 31 rules from /var/lib/suricata/drop.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 1 rules from /var/lib/suricata/dshield.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 533 rules from /var/lib/suricata/emerging-activex.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 217 rules from /var/lib/suricata/emerging-attack_response.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 91 rules from /var/lib/suricata/emerging-chat.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 3065 rules from /var/lib/suricata/emerging-current_events.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 2600 rules from /var/lib/suricata/emerging-deleted.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 80 rules from /var/lib/suricata/emerging-dns.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 110 rules from /var/lib/suricata/emerging-dos.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 737 rules from /var/lib/suricata/emerging-exploit.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 117 rules from /var/lib/suricata/emerging-ftp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 74 rules from /var/lib/suricata/emerging-games.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 39 rules from /var/lib/suricata/emerging-icmp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 66 rules from /var/lib/suricata/emerging-icmp_info.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 33 rules from /var/lib/suricata/emerging-imap.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 25 rules from /var/lib/suricata/emerging-inappropriate.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 596 rules from /var/lib/suricata/emerging-info.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 1044 rules from /var/lib/suricata/emerging-malware.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 63 rules from /var/lib/suricata/emerging-misc.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 608 rules from /var/lib/suricata/emerging-mobile_malware.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 475 rules from /var/lib/suricata/emerging-netbios.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 118 rules from /var/lib/suricata/emerging-p2p.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 958 rules from /var/lib/suricata/emerging-policy.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/emerging-pop3.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 116 rules from /var/lib/suricata/emerging-rpc.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 18 rules from /var/lib/suricata/emerging-scada.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 294 rules from /var/lib/suricata/emerging-scan.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 186 rules from /var/lib/suricata/emerging-shellcode.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 22 rules from /var/lib/suricata/emerging-smtp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 33 rules from /var/lib/suricata/emerging-snmp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 311 rules from /var/lib/suricata/emerging-sql.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 13 rules from /var/lib/suricata/emerging-telnet.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/emerging-tftp.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 6427 rules from /var/lib/suricata/emerging-trojan.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 311 rules from /var/lib/suricata/emerging-user_agents.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 21 rules from /var/lib/suricata/emerging-voip.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 316 rules from /var/lib/suricata/emerging-web_client.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 596 rules from /var/lib/suricata/emerging-web_server.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 5556 rules from /var/lib/suricata/emerging-web_specific_apps.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 19 rules from /var/lib/suricata/emerging-worm.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 821 rules from /var/lib/suricata/tor.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 0 rules from /var/lib/suricata/whitelist.rules
2019-05-20 18:48:02 (rulemap.go:108) <Info> -- Loaded 27174 rules
2019-05-20 18:48:02 (server.go:131) <Info> -- Session reaper started
2019-05-20 18:48:02 (bookmarker.go:71) <Info> -- Using bookmark file /var/log/suricata/eve.json.bookmark
2019-05-20 18:48:02 (server.go:165) <Info> -- Authentication disabled.
2019-05-20 18:48:02 (bookmarker.go:159) <Info> -- Found valid bookmark, jumping to offset 97670
2019-05-20 18:48:02 (server.go:276) <Info> -- Listening on 0.0.0.0:5636
2019-05-20 18:48:03 (indexer.go:107) <Debug> -- Committing 100 events
2019-05-20 18:48:03 (evefileprocessor.go:166) <Debug> -- Committed 152 events in 74.155107ms

and the WI looks like the demo --> https://demo.evebox.org/#/inbox but the reports are missing since there is currently no Elasticsearch.

Interesting in my opinion!

Best,

UE

EDIT: have added also GeoIP support but not needed for this setup!
Image
Image

Post Reply