Hi,
will the new IDS Suricata on IPFire have any graphical logs as shown on https://suricata-ids.org/features/ below paragraph "Industry standard outputs"? Or is this subject ot 3rd party tools as mentioned on that website?
Michael
Suricata IDS - monitoring
Re: Suricata IDS - monitoring
"This allows" not mean that is included in suricata. Suricata in IPFire has similar log output like snort.Industry standard outputs
With 2.0 we introduced “Eve”, our all JSON event and alert output. This allows for easy integration with Logstash and similar tools.
Arne
Support the project on the donation!
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.
Support the project on the donation!
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.
Re: Suricata IDS - monitoring
Shows the new IPS, if a client or IP is blocking?
Re: Suricata IDS - monitoring
Hi all,
in Suricata LFS. Since Jansson is already available in IPFire there is nevertheless the need to reorder it in make.sh before Suricata and after recompile with the new compiletime settings and with a first try with the already integrated Sqlite DB in Evebox (no Elasticsearch) suricata.yaml needed some eve related entries. Have tried it with that one:
which seems to work good for more e.g. --> https://suricata.readthedocs.io/en/suri ... utput.html. Used the Evebox binary since it is written in Go and IPFire can´t currently compile Go sources. Beneath some smaller beside work the following command
points the following out
and the WI looks like the demo --> https://demo.evebox.org/#/inbox but the reports are missing since there is currently no Elasticsearch.
Interesting in my opinion!
Best,
UE
EDIT: have added also GeoIP support but not needed for this setup!
Evebox --> https://evebox.org/ is interesting in my opinion but Suricata on IPFire currettly lacks with support for logging in JSON format. Have tried it which needs additionally
Code: Select all
--with-libjansson-libraries=/usr/lib \
--with-libjansson-includes=/usr/include \
Code: Select all
--- /etc/suricata/suricata.yaml.orig 2019-05-19 09:19:17.548041147 +0200
+++ /etc/suricata/suricata.yaml 2019-05-19 18:08:50.668307026 +0200
@@ -87,6 +87,23 @@
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0
+ - eve-log:
+ enabled: yes
+ type: file #file|syslog|unix_dgram|unix_stream
+ filename: eve.json
+ types:
+ - alert
+ - http:
+ extended: yes # enable this for extended logging information
+ - dns
+ - tls:
+ extended: yes # enable this for extended logging information
+ - files:
+ force-magic: no # force logging magic on all logged files
+ force-md5: no # force logging of md5 checksums
+ #- drop
+ - ssh
+
Code: Select all
./evebox -v -D /var/evebox --datastore sqlite --input /var/log/suricata/eve.jsonCode: Select all
2019-05-20 18:48:00 (evebox.go:114) <Info> -- No command provided, defaulting to server.
2019-05-20 18:48:00 (server.go:178) <Info> -- This is EveBox Server version 0.10.2 (rev: 56b673c); os=linux, arch=amd64
2019-05-20 18:48:00 (server.go:267) <Info> -- Self test: found embedded index.html.
2019-05-20 18:48:00 (geoip.go:115) <Debug> -- Loading geoip database /etc/evebox/GeoLite2-City.mmdb
2019-05-20 18:48:00 (configdb.go:59) <Info> -- Using configuration database file /var/evebox/config.sqlite
2019-05-20 18:48:00 (migrator.go:66) <Debug> -- Current database schema version: 1
2019-05-20 18:48:00 (sqlite.go:140) <Info> -- Configuring SQLite datastore
2019-05-20 18:48:00 (sqlite.go:146) <Info> -- SQLite event store using file /var/evebox/events.sqlite
2019-05-20 18:48:00 (sqlite.go:60) <Debug> -- Opening SQLite database /var/evebox/events.sqlite
2019-05-20 18:48:00 (migrator.go:66) <Debug> -- Current database schema version: 2
2019-05-20 18:48:00 (sqlite.go:94) <Info> -- Retention period: 0 days
2019-05-20 18:48:00 (server.go:464) <Info> -- Configuring internal eve log reader
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 22 rules from /var/lib/suricata/botcc.portgrouped.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 251 rules from /var/lib/suricata/botcc.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 100 rules from /var/lib/suricata/ciarmy.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/compromised.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 31 rules from /var/lib/suricata/drop.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 1 rules from /var/lib/suricata/dshield.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 533 rules from /var/lib/suricata/emerging-activex.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 217 rules from /var/lib/suricata/emerging-attack_response.rules
2019-05-20 18:48:00 (rulemap.go:167) <Debug> -- Loaded 91 rules from /var/lib/suricata/emerging-chat.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 3065 rules from /var/lib/suricata/emerging-current_events.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 2600 rules from /var/lib/suricata/emerging-deleted.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 80 rules from /var/lib/suricata/emerging-dns.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 110 rules from /var/lib/suricata/emerging-dos.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 737 rules from /var/lib/suricata/emerging-exploit.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 117 rules from /var/lib/suricata/emerging-ftp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 74 rules from /var/lib/suricata/emerging-games.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 39 rules from /var/lib/suricata/emerging-icmp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 66 rules from /var/lib/suricata/emerging-icmp_info.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 33 rules from /var/lib/suricata/emerging-imap.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 25 rules from /var/lib/suricata/emerging-inappropriate.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 596 rules from /var/lib/suricata/emerging-info.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 1044 rules from /var/lib/suricata/emerging-malware.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 63 rules from /var/lib/suricata/emerging-misc.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 608 rules from /var/lib/suricata/emerging-mobile_malware.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 475 rules from /var/lib/suricata/emerging-netbios.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 118 rules from /var/lib/suricata/emerging-p2p.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 958 rules from /var/lib/suricata/emerging-policy.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/emerging-pop3.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 116 rules from /var/lib/suricata/emerging-rpc.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 18 rules from /var/lib/suricata/emerging-scada.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 294 rules from /var/lib/suricata/emerging-scan.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 186 rules from /var/lib/suricata/emerging-shellcode.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 22 rules from /var/lib/suricata/emerging-smtp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 33 rules from /var/lib/suricata/emerging-snmp.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 311 rules from /var/lib/suricata/emerging-sql.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 13 rules from /var/lib/suricata/emerging-telnet.rules
2019-05-20 18:48:01 (rulemap.go:167) <Debug> -- Loaded 20 rules from /var/lib/suricata/emerging-tftp.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 6427 rules from /var/lib/suricata/emerging-trojan.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 311 rules from /var/lib/suricata/emerging-user_agents.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 21 rules from /var/lib/suricata/emerging-voip.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 316 rules from /var/lib/suricata/emerging-web_client.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 596 rules from /var/lib/suricata/emerging-web_server.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 5556 rules from /var/lib/suricata/emerging-web_specific_apps.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 19 rules from /var/lib/suricata/emerging-worm.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 821 rules from /var/lib/suricata/tor.rules
2019-05-20 18:48:02 (rulemap.go:167) <Debug> -- Loaded 0 rules from /var/lib/suricata/whitelist.rules
2019-05-20 18:48:02 (rulemap.go:108) <Info> -- Loaded 27174 rules
2019-05-20 18:48:02 (server.go:131) <Info> -- Session reaper started
2019-05-20 18:48:02 (bookmarker.go:71) <Info> -- Using bookmark file /var/log/suricata/eve.json.bookmark
2019-05-20 18:48:02 (server.go:165) <Info> -- Authentication disabled.
2019-05-20 18:48:02 (bookmarker.go:159) <Info> -- Found valid bookmark, jumping to offset 97670
2019-05-20 18:48:02 (server.go:276) <Info> -- Listening on 0.0.0.0:5636
2019-05-20 18:48:03 (indexer.go:107) <Debug> -- Committing 100 events
2019-05-20 18:48:03 (evefileprocessor.go:166) <Debug> -- Committed 152 events in 74.155107ms
Interesting in my opinion!
Best,
UE
EDIT: have added also GeoIP support but not needed for this setup!
