I'm using Suricata IDS / IPS / Network security monitoring software and log alert into syslog. By logging into syslog its can be process later by Logstash and store into Elasticsearch and can be view by Kibana. I'm using Ubuntu Linux Server 14.04 LTS for this setup.
Simple guide :-
1) Install suricata and oinkmaster
apt-get update
apt-get install suricata oinkmaster
* suricata disabled, please adjust the configuration to your needs
* and then set RUN to 'yes' in /etc/default/suricata to enable it.
2) Download rules
2.1) Create directory
mkdir /etc/suricata/rules
edit /etc/oinkmaster.conf using vi or pico and add this line.
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Save and run test
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
check directory /etc/suricata/rules should all rules download
3) Create a cron file into /etc/cron.d named oinkmaster
pico /etc/cron.d/oinkmaster
Add this content
0 2 * * * /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
4) edit /etc/suricata/suricata-debian.yaml
# Configure the type of alert (and other) logging you would like.
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: yes
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
logging:
- syslog:
enabled: yes
facility: local5
format: "[%i] <%d> -- "
# Set the default rule path here to search for the files.
# if not set, it will look at the current working dir
default-rule-path: /etc/suricata/rules
rule-files:
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
Further reading :-
https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-rules.htm
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster