Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Suricata-EVE-Unixsocket
Trace:
tips:suricata-eve-unixsocket

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
tips:suricata-eve-unixsocket [2020/08/27 19:09] – [5. Starting Suricata] navaneethtips:suricata-eve-unixsocket [2020/09/17 19:21] navaneeth
Line 21: Line 21:
 </code> </code>
  
-==== 3. Installing Emerging Threat Rules 5.0 ==== 
  
 +==== 3. Updating with latest ruleset ====
  
-  * You have to install the Emerging Threats Community which are a set of rules that trisul will listen to+Use the following command to update the latest emerging-threats ruleset
-  * Download and install Emerging Threats Open rules into ///etc/suricata//+
  
-<code>#cd /etc/suricata +<code>sudo suricata-update</code> 
-#wget https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz + 
-#tar xf emerging.rules.tar.gz +suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by rootMake sure the trisul user can read this directory
-</code>+ 
 +<code>sudo chown trisul.trisul /var/lib/suricata -R </code>
  
-<note important>Please ensure that you run these commands as root</note> 
  
 ==== 4. Enabling EVE_unix Socket ==== ==== 4. Enabling EVE_unix Socket ====
Line 60: Line 59:
 {{:app:how_to_start_suricata.png?600|}} {{:app:how_to_start_suricata.png?600|}}
  
-<note important>Please ensure you enter the correct Interface name.</note>+==== 6Viewing Alerts ==== 
  
 {{:tips:suricata-alert.png?600|}} {{:tips:suricata-alert.png?600|}}
  
-==== 6Updating with latest rules ====+==== 7Starting Suricata Automatically ====
  
-If you have already installed suricata and you want to update with the latest rules. Use the following command.+  * You need to install [[monit:monitoring_and_maintain_trisul_process|monit]] to enable this feature.
  
-<code>sudo suricata-update</code>+  * Add a shellscript named //start-suricata.sh// in ///usr/local/etc/trisul-probe/// 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 +echo "Removing PID file" 
 +/bin/rm -f /var/run/suricata.pid 
 + 
 +echo "Starting suricata" 
 +/usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D 
 + 
 +echo "Done starting suricata"</code> 
 + 
 +  * You need to add the following statements in the ///etc/monit/monitrc file//. 
 +<code>check process suricata with pidfile /var/run/suricata.pid 
 +  start program = "/usr/local/etc/trisul-probe/start-suricata.sh" 
 +</code> 
 + 
 +  * Please ensure you restart monit 
 +<code>systemctl restart monit</code>
  
  
tips/suricata-eve-unixsocket.txt · Last modified: 2020/09/28 17:22 by navaneeth