Suricata

Installation

CentOS

sudo yum install epel-release yum-plugin-copr
sudo yum copr enable @oisf/suricata-6.0
sudo yum install suricata

Auto start

sudo systemctl enable suricata.service

suricata-update require PyYAML

sudo yum install PyYAML

Update signatures

sudo suricata-update

Restart

sudo systemctl restart suricata

Ref: Installation

Alerting

Test alert

curl http://testmynids.org/uid/index.html

View alert log

sudo tail /var/log/suricata/fast.log

`eve.json`

eve.json
outputs:
  - eve-log:
      enabled: yes
      filename: eve.json
      types:
        # Disable flow log, very large
        # - flow

        # Disable event type "fileinfo", large too
        # - files:
            # force-magic: no

Count `event_type` in `eve.json`

cat eve.json | jq ".event_type" | sort | uniq -c

"alert"
"stats"
"tls"

Monitor `alert`

tail -f eve.json | jq 'select(.event_type=="alert")'

Installation​

CentOS​

Alerting​

Test alert​

View alert log​

eve.json​

Count event_type in eve.json​

Monitor alert​

Installation

CentOS

Alerting

Test alert

View alert log

`eve.json`

Count `event_type` in `eve.json`

Monitor `alert`