tips:suricata-eve-unixsocket
Table of Contents
Suricata-EVE-Unixsocket
This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.
Installation
1. Installing Suricata App
- You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Suricata via Eve Unixsocket.
2. Installing Suricata version 5.0
Please install Suricata by running the following command,
add-apt-repository ppa:oisf/suricata-stable sudo apt-get update apt-get install suricata
3. Updating with latest ruleset
Use the following command to update the latest emerging-threats ruleset
sudo suricata-update
suricata-update puts the combined rules in /var/lib/suricata/rules
which is owned by root. Make sure the trisul user can read this directory.
sudo chown trisul.trisul /var/lib/suricata -R
4. Enabling EVE_unix Socket
- locate the 'Outputs' section in /etc/suricata/suricata.yaml enable EVE logging as shown below.
# Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: yes filetype: unix_dgram #regular| filename: suricata_eve.socket
The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.
5. Starting Suricata
- Login as Admin and Select Admin Tasks.
- Click on 'More options' dropbox at the end of probe0.
- You will find a Dialog box with command line to install Suricata as below.
- Cut and paste the command shown into a terminal to start suricata
sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
6. Viewing Alerts
7. Starting Suricata Automatically
- You need to install monit to enable this feature.
- Add a shellscript named start-suricata.sh in /usr/local/etc/trisul-probe/
#!/bin/bash echo "Removing PID file" /bin/rm -f /var/run/suricata.pid echo "Starting suricata" /usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D echo "Done starting suricata"
- Make sure the shell script start-suricata.sh is executable. It can be done by
chmod +x start-suricata.sh
- You need to add the following statements in the /etc/monit/monitrc file.
check process suricata with pidfile /var/run/suricata.pid start program = "/usr/local/etc/trisul-probe/start-suricata.sh"
- Please ensure you restart monit
systemctl restart monit
tips/suricata-eve-unixsocket.txt · Last modified: 2020/09/28 17:22 by navaneeth