Suricata
Installation
CentOS
sudo yum install epel-release yum-plugin-copr
sudo yum copr enable @oisf/suricata-6.0
sudo yum install suricata
Auto start
sudo systemctl enable suricata.service
suricata-update require PyYAML
sudo yum install PyYAML
Update signatures
sudo suricata-update
Restart
sudo systemctl restart suricata
Ref: Installation
Alerting
Test alert
curl http://testmynids.org/uid/index.html
View alert log
sudo tail /var/log/suricata/fast.log
eve.json
eve.json
outputs:
  - eve-log:
      enabled: yes
      filename: eve.json
      types:
        # Disable flow log, very large
        # - flow
        # Disable event type "fileinfo", large too
        # - files:
            # force-magic: no
Count event_type in eve.json
cat eve.json | jq ".event_type" | sort | uniq -c
      4 "alert"
      7 "stats"
     89 "tls"
Monitor alert
tail -f eve.json | jq 'select(.event_type=="alert")'