I wrote a Ruby-Gem for suricata. It offers classes to parse suricata-logs and ships with a nagios-plugin
Installation
Just call:
gem install suricata
Usage
The nagios-plugin searches for specific strings in the description-part of a logfile-entry. It’s possible to create a whitelist of search hits which should be excluded.
Usage: check_suricata [-a alertfile] [-w whitelistfile] -e searchstring
-h, --help This help screen
-a, --alertfile ALERTFILE alertfile(default: /var/log/suricata/fast.log)
-w, --whitelist WHITELISTFILE whitelistfile
-e, --search STRING searchstring
-i, --interactive interactive
-k, --ackfile ACKFILE ackfile(default: /tmp/surack.lst)
It is possible to interactively acknowlege search hits so that they will not occur on the next search:
check_suricata -i -e "ET CHAT"
Acknowlege the following entry:
10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
Acknowlege(y|n): y
Acknowlege the following entry:
10/05/2016-09:25:01.186862 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:49491 -> 100.254.198.10:80
Acknowlege(y|n): n
Download the Sources
The sources can be found on my github-account and can be downloaded using git:
git clone https://github.com/whotwagner/suricata
Future Work
I currently work on a logfile-analyzer for Suricata. It will be included in the furure versions of this gem.
