FUN WITH LINUX

Suricata Ruby-Gem

11 October 2016

I wrote a Ruby-Gem for suricata. It offers classes to parse suricata-logs and ships with a nagios-plugin

Installation

Just call:

gem install suricata

Usage

The nagios-plugin searches for specific strings in the description-part of a logfile-entry. It’s possible to create a whitelist of search hits which should be excluded.

Usage: check_suricata [-a alertfile] [-w whitelistfile] -e searchstring
    -h, --help This help screen
    -a, --alertfile ALERTFILE alertfile(default: /var/log/suricata/fast.log)
    -w, --whitelist WHITELISTFILE whitelistfile
    -e, --search STRING searchstring
    -i, --interactive interactive
    -k, --ackfile ACKFILE ackfile(default: /tmp/surack.lst)

It is possible to interactively acknowlege search hits so that they will not occur on the next search:

check_suricata -i -e "ET CHAT"                                                                                                                                               
Acknowlege the following entry:
10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
Acknowlege(y|n): y
Acknowlege the following entry:
10/05/2016-09:25:01.186862 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:49491 -> 100.254.198.10:80
Acknowlege(y|n): n

Download the Sources

The sources can be found on my github-account and can be downloaded using git:

git clone https://github.com/whotwagner/suricata

Future Work

I currently work on a logfile-analyzer for Suricata. It will be included in the furure versions of this gem.

[ Programming  git  Ruby  Downloads  Toscom  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti