Suricata

GPL Licence
Build Status Inline docs Code Climate Gem Version

This gem offers classes for parsing suricata logfiles. It ships with a nagios-plugin.

Installation

Add this line to your application's Gemfile:

gem 'suricata'

And then execute:

$ bundle

Or install it yourself as:

$ gem install suricata

Usage

Nagios-Plugin

This gem comes with a Nagios-plugin to search suricata's fast-logfile for specific strings in the threat-description.

Usage: check_suricata [ -a alertfile ] [ -w whitelistfile ] -e searchstring
    -h, --help                       This help screen
    -a, --alertfile ALERTFILE        alertfile(default: /var/log/suricata/fast.log)
    -w, --whitelist WHITELISTFILE    whitelistfile
    -e, --search STRING              searchstring
    -i, --interactive                interactive
    -k, --ackfile ACKFILE            ackfile(default: /tmp/surack.lst)

It is possible to interactively acknowlege search hits so that they will not occur on the next search:

check_suricata -i -e "ET CHAT"                                                                                                                                               
Acknowlege the following entry:
10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
Acknowlege(y|n): y
Acknowlege the following entry:
10/05/2016-09:25:01.186862 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:49491 -> 100.254.198.10:80
Acknowlege(y|n): n

Logfile Analyzer

This gem comes with a logfile analyzer for suricata's fast.log. It's very easy to use and meant for using as a daily cronjob

Usage: surilizer <fast.log | fast.log* | fast.log fast.2.log fast.3.log.gz >

surilizer misc/fast.log

======== Suricata Log Analysis ========
Events: 11
Unique Sources: 3
Unique Events: 6

======== Unique Events =========

PRIORITY    | DESCRIPTION 
1       | ET POLICY Cleartext WordPress Login
1       | ET POLICY Http Client Body contains pwd= in cleartext
1       | ET CHAT Skype VOIP Checking Version (Startup)
2       | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339
3       | GPL CHAT Jabber/Google Talk Outgoing Traffic
3       | SURICATA TCPv4 invalid checksum

======== Eventy by source ========
Source: 192.168.0.1
    -> 8.8.8.8
        1 x ET POLICY Cleartext WordPress Login Prio: 1
    -> 8.8.8.1
        1 x ET POLICY Http Client Body contains pwd= in cleartext Prio: 1
    -> 4.3.2.1
        1 x SURICATA TCPv4 invalid checksum Prio: 3
    -> 15.14.13.12
        1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1
    -> 8.4.3.7
        1 x GPL CHAT Jabber/Google Talk Outgoing Traffic Prio: 3
    -> 1.2.3.22
        2 x SURICATA TCPv4 invalid checksum Prio: 3
    -> 100.254.198.10
        1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1

Source: 212.69.166.153
    -> 1.2.3.4
        1 x ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339 Prio: 2

Source: 10.12.32.6
    -> 42.42.42.42
        1 x SURICATA TCPv4 invalid checksum Prio: 3
    -> 9.1.2.1
        1 x SURICATA TCPv4 invalid checksum Prio: 3

Documentation

rubydoc.info

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/whotwagner/suricata.


Powered by Toscom