This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.

• You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > Suricata via Eve Unixsocket.

Please install Suricata by running the following command,

add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
apt-get install suricata

• You have to install the Emerging Threats Community which are a set of rules that trisul will listen to.
• Download and install Emerging Threats Open rules into /etc/suricata

#cd /etc/suricata
#wget https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz
#tar xf emerging.rules.tar.gz

• locate the 'Outputs' section in /etc/suricata/suricata.yaml enable EVE logging as shown below.

# Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: unix_dgram  #regular| 
      filename: suricata_eve.socket

• Login as Admin and Select Admin Tasks.
• Click on 'More options' dropbox at the end of probe0.
• You will find a Dialog box with command line to install Suricata as below.
• Cut and paste the command shown into a terminal to start suricata

sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D

If you have already installed suricata and you want to update with the latest rules. Use the following command.

sudo suricata-update