Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Suricata-EVE-Unixsocket
Trace:
tips:suricata-eve-unixsocket

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
tips:suricata-eve-unixsocket [2020/08/27 19:04] navaneethtips:suricata-eve-unixsocket [2020/09/10 16:28] – [2. Installing Suricata version 5.0] veera
Line 12: Line 12:
 {{:tips:suricata-app-admin.png?600|}} {{:tips:suricata-app-admin.png?600|}}
  
-==== 2. Installing Suricata ====+==== 2. Installing Suricata version 5.0 ====
 Please install Suricata by running the following command, Please install Suricata by running the following command,
  
Line 20: Line 20:
 apt-get install suricata apt-get install suricata
 </code> </code>
 +
 +
 +===== Updating with latest ruleset =====
 +
 +Use the following command to update the latest emerging-threats ruleset
 +
 +<code>sudo suricata-update</code>
 +
 +suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by root. Make sure the trisul user can read this directory.
 +
 +<code>sudo chown trisul.trisul /var/lib/suricata -R </code>
 +
 +
 +
 +
 +
 +
  
 ==== 3. Installing Emerging Threat Rules 5.0 ==== ==== 3. Installing Emerging Threat Rules 5.0 ====
Line 32: Line 49:
 </code> </code>
  
-<note important>Please ensure that you run these commands in root</note>+<note important>Please ensure that you run these commands as root</note>
  
 ==== 4. Enabling EVE_unix Socket ==== ==== 4. Enabling EVE_unix Socket ====
Line 46: Line 63:
 </code> </code>
 <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note> <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note>
- 
-  * And, also disable the 'fast.log' in ///etc/suricata/suricata.yaml// as shown below. 
- 
-<code>outputs: 
-  # a line based alerts log similar to Snort's fast.log 
-  - fast: 
-      enabled: no 
-      filename: fast.log 
-      append: yes 
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</code> 
              
  
Line 62: Line 69:
   * Click on 'More options' dropbox at the end of probe0.   * Click on 'More options' dropbox at the end of probe0.
   * You will find a Dialog box with command line to install Suricata as below.   * You will find a Dialog box with command line to install Suricata as below.
 +  * Cut and paste the command shown into a terminal to start suricata 
  
 <code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D <code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
Line 69: Line 77:
 {{:app:how_to_start_suricata.png?600|}} {{:app:how_to_start_suricata.png?600|}}
  
-<note important>Please ensure you enter the correct Interface name.</note> +==== 6. Viewing Alerts ====
- +
-{{:tips:suricata-alert.png?600|}} +
- +
-==== 6. Updating with latest rules ==== +
- +
-If you have already installed suricata and you want to update with the latest rules. Use the following command. +
- +
-<code>sudo suricata-update</code> +
- +
- +
  
  
 +{{:tips:suricata-alert.png?600|}}
  
  
tips/suricata-eve-unixsocket.txt · Last modified: 2020/09/28 17:22 by navaneeth