Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Suricata-EVE-Unixsocket
Trace:
tips:suricata-eve-unixsocket

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
tips:suricata-eve-unixsocket [2020/08/27 18:44] – [Updating with latest rules] navaneethtips:suricata-eve-unixsocket [2020/09/17 19:21] navaneeth
Line 1: Line 1:
 ====== Suricata-EVE-Unixsocket ====== ====== Suricata-EVE-Unixsocket ======
  
-This article helps with providing guidelines for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. +This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.
- +
-** +
-To create a threat signatures that will turn into a powerful frontline alert monitoring system for any enterprise.Usually Suricata show up as IDS alerts in Trisul. +
-**+
  
 {{:tips:suricataapp.png?400|}} {{:tips:suricataapp.png?400|}}
  
 ===== Installation ===== ===== Installation =====
-==== 1. Installing Suricata ====+==== 1. Installing Suricata App ====
  
   * You can install the app by logging in as admin and selecting //Web Admin > Manage > Apps > Suricata via Eve Unixsocket//.   * You can install the app by logging in as admin and selecting //Web Admin > Manage > Apps > Suricata via Eve Unixsocket//.
Line 16: Line 12:
 {{:tips:suricata-app-admin.png?600|}} {{:tips:suricata-app-admin.png?600|}}
  
-  * Please install Suricata by running the following command,+==== 2. Installing Suricata version 5.0 ==== 
 +Please install Suricata by running the following command,
  
 <code> <code>
Line 24: Line 21:
 </code> </code>
  
-==== 2. Installing Emerging Threat Rules ==== 
  
 +==== 3. Updating with latest ruleset ====
  
-  * You have to install the Emerging Threats Community which are a set of rules that trisul will listen to+Use the following command to update the latest emerging-threats ruleset
-  * Download and install Emerging Threats Open rules into ///etc/suricata//+
  
-<code>#cd /etc/suricata +<code>sudo suricata-update</code>
-#wget https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz +
-#tar xf emerging.rules.tar.gz +
-</code>+
  
-<note important>Please ensure that you run these commands in root</note>+suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by root. Make sure the trisul user can read this directory.
  
-==== 3. Enabling EVE output ====+<code>sudo chown trisul.trisul /var/lib/suricata -R </code> 
 + 
 + 
 +==== 4. Enabling EVE_unix Socket ====
  
  
Line 49: Line 45:
 </code> </code>
 <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note> <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note>
- 
-  * And, also disable the 'fast.log' in ///etc/suricata/suricata.yaml// as shown below. 
- 
-<code>outputs: 
-  # a line based alerts log similar to Snort's fast.log 
-  - fast: 
-      enabled: no 
-      filename: fast.log 
-      append: yes 
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</code> 
              
  
-==== 4. Starting Suricata ====+==== 5. Starting Suricata ==== 
 +  * Login as Admin and Select Admin Tasks. 
 +  * Click on 'More options' dropbox at the end of probe0. 
 +  * You will find a Dialog box with command line to install Suricata as below. 
 +  * Cut and paste the command shown into a terminal to start suricata 
  
-Run suricata and set the log directory to the default context run directory using the command, +<code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
- +
-<code>suricata --user tirsul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i enp0s25 -D+
 </code> </code>
  
-<note important>Please ensure you enter the correct Interface name.</note>+{{:app:suricata.png?600|}} 
 +{{:app:how_to_start_suricata.png?600|}} 
 + 
 +==== 6. Viewing Alerts ==== 
  
 {{:tips:suricata-alert.png?600|}} {{:tips:suricata-alert.png?600|}}
  
-==== 5Updating with latest rules ====+==== 7Starting Suricata Automatically ====
  
-If you have already installed suricata and you want to update with the latest rules. Use the following command.+  * You need to install [[monit:monitoring_and_maintain_trisul_process|monit]] to enable this feature.
  
-<code>sudo suricata-update</code>+  * Add a shellscript named //start-suricata.sh// in ///usr/local/etc/trisul-probe/// 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 +echo "Removing PID file" 
 +/bin/rm -f /var/run/suricata.pid 
 + 
 +echo "Starting suricata" 
 +/usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D 
 + 
 +echo "Done starting suricata"</code> 
 + 
 +  * You need to add the following statements in the ///etc/monit/monitrc file//. 
 +<code>check process suricata with pidfile /var/run/suricata.pid 
 +  start program = "/usr/local/etc/trisul-probe/start-suricata.sh" 
 +</code> 
 + 
 +  * Please ensure you restart monit 
 +<code>systemctl restart monit</code>
  
  
tips/suricata-eve-unixsocket.txt · Last modified: 2020/09/28 17:22 by navaneeth