Suricata in IDS mode
270 views
Skip to first unread message
Chandra sekar Veerappan
Aug 11, 2016, 3:37:38 PM8/11/16
to SELKS
Dear SELKS users,
Cheers! Learning the basic.
My SELKS setup running on Virtual machine on my Windows 7 laptop. I want to configure the Suricata in IDS mode.
To test it i run
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 (earlier i missed sudo, so suricata did not start correctly)
Now, it starts correctly.
After that i open browser/ visit few website. Then, would like to see on stats log on /var/log/suricata/stats.log
but this is huge file over 60MB, due to some special symbols , i can not open on using gedit or nano. belive it is in json format.
where to find http.log ? is it still used on suricata versions ?
Further, any local rules match create alert on Fast.log?
Am i miss something here... any suggestion useful (for all newbies..)
Thanks a lot.
Cheers!
Chandra
Cheers! Learning the basic.
My SELKS setup running on Virtual machine on my Windows 7 laptop. I want to configure the Suricata in IDS mode.
To test it i run
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 (earlier i missed sudo, so suricata did not start correctly)
Now, it starts correctly.
After that i open browser/ visit few website. Then, would like to see on stats log on /var/log/suricata/stats.log
but this is huge file over 60MB, due to some special symbols , i can not open on using gedit or nano. belive it is in json format.
where to find http.log ? is it still used on suricata versions ?
Further, any local rules match create alert on Fast.log?
Am i miss something here... any suggestion useful (for all newbies..)
Thanks a lot.
Cheers!
Chandra
emre....@btpsec.com
Aug 12, 2016, 2:39:51 AM8/12/16
to SELKS
fast.log is disabled by default in Suricata.I do not know why. It was googd to see line based alerts in text. You can enable it from suricata.yaml.
stats.log keeps statistics about packets, protocols, flows, not signatures and alerts. So you do not need that. It is plan text. yo should view it less or more command. You can make it empth echo -n "" > stats.log, if you think it is large.
http.log is also disabled by default. Again you can enable it from suricata.yaml.
Finally, you actually look for eve.json. It is plain text but in json format, you can retrieve wahat you want with jq command.
I recommend you to use at least scirius dashboards.
Peter Manev
Aug 12, 2016, 12:01:37 PM8/12/16
to emre....@btpsec.com, SELKS
On Fri, Aug 12, 2016 at 7:39 AM, <emre....@btpsec.com> wrote:
> fast.log is disabled by default in Suricata.I do not know why. It was googd
> to see line based alerts in text. You can enable it from suricata.yaml.
> stats.log keeps statistics about packets, protocols, flows, not signatures
> and alerts. So you do not need that. It is plan text. yo should view it less
> or more command. You can make it empth echo -n "" > stats.log, if you think
> it is large.
> http.log is also disabled by default. Again you can enable it from
> suricata.yaml.
> Finally, you actually look for eve.json. It is plain text but in json
> format, you can retrieve wahat you want with jq command.
> I recommend you to use at least scirius dashboards.
correct.
> fast.log is disabled by default in Suricata.I do not know why. It was googd
> to see line based alerts in text. You can enable it from suricata.yaml.
> stats.log keeps statistics about packets, protocols, flows, not signatures
> and alerts. So you do not need that. It is plan text. yo should view it less
> or more command. You can make it empth echo -n "" > stats.log, if you think
> it is large.
> http.log is also disabled by default. Again you can enable it from
> suricata.yaml.
> Finally, you actually look for eve.json. It is plain text but in json
> format, you can retrieve wahat you want with jq command.
> I recommend you to use at least scirius dashboards.
eve.json holds all the logs - alert/dns/smt/ssh/tls/fileinfo/http i json format
This is the log file that is being digested by Elasticsearch (via
Logstash) and there from used by Kibana, Scirius and EveBox for
visualizations.
>
> On Thursday, August 11, 2016 at 10:37:38 PM UTC+3, Chandra sekar Veerappan
> wrote:
>>
>> Dear SELKS users,
>>
>> Cheers! Learning the basic.
>> My SELKS setup running on Virtual machine on my Windows 7 laptop. I want
>> to configure the Suricata in IDS mode.
>> To test it i run
>>
>> sudo suricata -c /etc/suricata/suricata.yaml -i eth0 (earlier i missed
>> sudo, so suricata did not start correctly)
>> Now, it starts correctly.
>>
>> After that i open browser/ visit few website. Then, would like to see on
>> stats log on /var/log/suricata/stats.log
>> but this is huge file over 60MB, due to some special symbols , i can not
>> open on using gedit or nano. belive it is in json format.
>> where to find http.log ? is it still used on suricata versions ?
>>
>> Further, any local rules match create alert on Fast.log?
>> Am i miss something here... any suggestion useful (for all newbies..)
>>
>> Thanks a lot.
>>
>> Cheers!
>> Chandra
>>
>
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
Reply all
Reply to author
Forward
0 new messages