User Tools

Site Tools


tips:suricata-eve-unixsocket

Suricata-EVE-Unixsocket

This article helps with providing guidelines for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics.

To create a threat signatures that will turn into a powerful frontline alert monitoring system for any enterprise.Usually Suricata show up as IDS alerts in Trisul.

Installation

1. Installing Suricata

  • You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Suricata via Eve Unixsocket.

  • Please install Suricata by running the following command,
apt-get install suricata

2. Installing Emerging Threat Rules

  • You have to install the Emerging Threats Community which are a set of rules that trisul will listen to.
  • Download and install Emerging Threats Open rules into /etc/suricata
#cd /etc/suricata
#wget https://rules.emergingthreats.net/open/suricata-4.0.0/emerging.rules.tar.gz
#tar xf emerging.rules.tar.gz
Please ensure that you run these commands in root

3. Enabling EVE output

  • locate the 'Outputs' section in /etc/suricata/suricata.yaml enable EVE logging as shown below.
# Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: unix_dgram  #regular| 
      filename: suricata_eve.socket
The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.

4. Tuning the Rules

Going live ET open set rules may flood you with lot of suricata stream alerts.To avoid it do the following changes,

  • Open /etc/suricata/suricata.yaml and locate the 'rule-files' section
  • Disable the 'decoder-events.rule' and 'stream-events.rules' files as shown,
- tor.rules
# - decoder-events.rules # available in suricata sources dir
# - stream-events.rules  # available in suricata sources dir
 - http-events.rules    # available in suricata sources dir

4. Starting Suricata

Run suricata and set the log directory to the default context run directory using the command,

suricata -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i enp0s25 -D
Please ensure you enter the correct Interface name.

tips/suricata-eve-unixsocket.txt · Last modified: 2020/03/30 18:57 by navaneeth