Differences

This shows you the differences between two versions of the page.

--- tips:suricata-eve-unixsocket [2020/08/27 18:56] – navaneeth
+++ tips:suricata-eve-unixsocket [2020/09/28 17:22] (current) – navaneeth
@@ Line 1: / Line 1: @@
 ====== Suricata-EVE-Unixsocket ======
-This article helps with providing guidelines for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics.
+This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.
 {{:tips:suricataapp.png?400|}}
@@ Line 12: / Line 12: @@
 {{:tips:suricata-app-admin.png?600|}}
-==== 2. Installing Suricata ====
+==== 2. Installing Suricata version 5.0 ====
 Please install Suricata by running the following command,
@@ Line 21: / Line 21: @@
 </code>
-==== 3. Installing Emerging Threat Rules ====
+==== 3. Updating with latest ruleset ====
-  * You have to install the Emerging Threats Community which are a set of rules that trisul will listen to.
+Use the following command to update the latest emerging-threats ruleset
-  * Download and install Emerging Threats Open rules into ///etc/suricata//
-<code>#cd /etc/suricata
+<code>sudo suricata-update</code>
-#wget https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz
-#tar xf emerging.rules.tar.gz
+suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by root. Make sure the trisul user can read this directory.
-</code>
+<code>sudo chown trisul.trisul /var/lib/suricata -R </code>
-<note important>Please ensure that you run these commands in root</note>
 ==== 4. Enabling EVE_unix Socket ====
@@ Line 46: / Line 45: @@
 </code>
 <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note>
-  * And, also disable the 'fast.log' in ///etc/suricata/suricata.yaml// as shown below.
-<code>outputs:
-  # a line based alerts log similar to Snort's fast.log
-  - fast:
-      enabled: no
-      filename: fast.log
-      append: yes
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</code>
@@ Line 62: / Line 51: @@
   * Click on 'More options' dropbox at the end of probe0.
   * You will find a Dialog box with command line to install Suricata as below.
+  * Cut and paste the command shown into a terminal to start suricata
 <code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
 </code>
-<note important>Please ensure you enter the correct Interface name.</note>
+{{:app:suricata.png?600|}}
+{{:app:how_to_start_suricata.png?600|}}
+==== 6. Viewing Alerts ====
 {{:tips:suricata-alert.png?600|}}
-==== 6. Updating with latest rules ====
+==== 7. Starting Suricata Automatically ====
-If you have already installed suricata and you want to update with the latest rules. Use the following command.
+  * You need to install [[monit:monitoring_and_maintain_trisul_process|monit]] to enable this feature.
-<code>sudo suricata-update</code>
+  * Add a shellscript named //start-suricata.sh// in ///usr/local/etc/trisul-probe///
+<code>
+#!/bin/bash
+echo "Removing PID file"
+/bin/rm -f /var/run/suricata.pid
+echo "Starting suricata"
+/usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D
+echo "Done starting suricata"</code>
+  * Make sure the shell script //start-suricata.sh// is executable. It can be done by
+<code>chmod +x start-suricata.sh</code>
+  * You need to add the following statements in the ///etc/monit/monitrc file//.
+<code>check process suricata with pidfile /var/run/suricata.pid
+  start program = "/usr/local/etc/trisul-probe/start-suricata.sh"
+</code>
+  * Please ensure you restart monit
+<code>systemctl restart monit</code>