Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Suricata-EVE-Unixsocket
Trace:
tips:suricata-eve-unixsocket

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tips:suricata-eve-unixsocket [2020/08/27 18:53] – [4. Starting Suricata] navaneethtips:suricata-eve-unixsocket [2020/09/28 17:22] (current) navaneeth
Line 1: Line 1:
 ====== Suricata-EVE-Unixsocket ====== ====== Suricata-EVE-Unixsocket ======
  
-This article helps with providing guidelines for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. +This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.
- +
-** +
-To create a threat signatures that will turn into a powerful frontline alert monitoring system for any enterprise.Usually Suricata show up as IDS alerts in Trisul. +
-**+
  
 {{:tips:suricataapp.png?400|}} {{:tips:suricataapp.png?400|}}
  
 ===== Installation ===== ===== Installation =====
-==== 1. Installing Suricata ====+==== 1. Installing Suricata App ====
  
   * You can install the app by logging in as admin and selecting //Web Admin > Manage > Apps > Suricata via Eve Unixsocket//.   * You can install the app by logging in as admin and selecting //Web Admin > Manage > Apps > Suricata via Eve Unixsocket//.
Line 16: Line 12:
 {{:tips:suricata-app-admin.png?600|}} {{:tips:suricata-app-admin.png?600|}}
  
-  * Please install Suricata by running the following command,+==== 2. Installing Suricata version 5.0 ==== 
 +Please install Suricata by running the following command,
  
 <code> <code>
Line 24: Line 21:
 </code> </code>
  
-==== 2. Installing Emerging Threat Rules ==== 
  
 +==== 3. Updating with latest ruleset ====
  
-  * You have to install the Emerging Threats Community which are a set of rules that trisul will listen to+Use the following command to update the latest emerging-threats ruleset
-  * Download and install Emerging Threats Open rules into ///etc/suricata//+
  
-<code>#cd /etc/suricata +<code>sudo suricata-update</code> 
-#wget https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz + 
-#tar xf emerging.rules.tar.gz +suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by rootMake sure the trisul user can read this directory
-</code>+ 
 +<code>sudo chown trisul.trisul /var/lib/suricata -R </code>
  
-<note important>Please ensure that you run these commands in root</note> 
  
-==== 3. Enabling EVE output ====+==== 4. Enabling EVE_unix Socket ====
  
  
Line 49: Line 45:
 </code> </code>
 <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note> <note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note>
- 
-  * And, also disable the 'fast.log' in ///etc/suricata/suricata.yaml// as shown below. 
- 
-<code>outputs: 
-  # a line based alerts log similar to Snort's fast.log 
-  - fast: 
-      enabled: no 
-      filename: fast.log 
-      append: yes 
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</code> 
              
  
-==== 4. Starting Suricata ====+==== 5. Starting Suricata ====
   * Login as Admin and Select Admin Tasks.   * Login as Admin and Select Admin Tasks.
   * Click on 'More options' dropbox at the end of probe0.   * Click on 'More options' dropbox at the end of probe0.
   * You will find a Dialog box with command line to install Suricata as below.   * You will find a Dialog box with command line to install Suricata as below.
 +  * Cut and paste the command shown into a terminal to start suricata 
  
 <code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D <code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
 </code> </code>
  
-<note important>Please ensure you enter the correct Interface name.</note>+{{:app:suricata.png?600|}} 
 +{{:app:how_to_start_suricata.png?600|}} 
 + 
 +==== 6. Viewing Alerts ==== 
  
 {{:tips:suricata-alert.png?600|}} {{:tips:suricata-alert.png?600|}}
  
-==== 5Updating with latest rules ====+==== 7Starting Suricata Automatically ====
  
-If you have already installed suricata and you want to update with the latest rules. Use the following command.+  * You need to install [[monit:monitoring_and_maintain_trisul_process|monit]] to enable this feature.
  
-<code>sudo suricata-update</code>+  * Add a shellscript named //start-suricata.sh// in ///usr/local/etc/trisul-probe/// 
 + 
 +<code> 
 +#!/bin/bash 
 + 
 +echo "Removing PID file" 
 +/bin/rm -f /var/run/suricata.pid 
 + 
 +echo "Starting suricata" 
 +/usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D 
 + 
 +echo "Done starting suricata"</code> 
 + 
 +  * Make sure the shell script //start-suricata.sh// is executable. It can be done by 
 +<code>chmod +x start-suricata.sh</code> 
 + 
 +  * You need to add the following statements in the ///etc/monit/monitrc file//. 
 +<code>check process suricata with pidfile /var/run/suricata.pid 
 +  start program = "/usr/local/etc/trisul-probe/start-suricata.sh" 
 +</code> 
 + 
 +  * Please ensure you restart monit 
 +<code>systemctl restart monit</code>
  
  
tips/suricata-eve-unixsocket.1598534610.txt.gz · Last modified: 2020/08/27 18:53 by navaneeth