A few beginner questions

So, i have installed Suricata 6.0.10 on a Debian 12 router (from apt).
Yes, its a bit old i know, i might install a newer one if i get things properly working (for me), but thats for later:) 6.0.10 is what Debian provides for now.

I have enabled a few more sources (other than et/open).
And I have tuned out a lot of noise with disable.conf and appending “not net a.b.c.d/x” to the startup command, and such.
The eve.json grows so fast that its currently disabled.

  1. Updating rules regularly.
    Its just creating a cron-job with suricata-update and a reload of the service? Like once a day?

  2. Can i somehow get only “alert-related” events in eve.json? (or somewhere else)
    I would like to get some more info about alerts, but i dont want everything saved in eve.json.
    For instance, an alert about some device having resolved a TOR hostname (.onion) - which hostname did it resolve?

  3. Does everyone use a dashboard of some kind to sometimes review whats going on?
    Personally (once i have tuned out even more noise) i think i would like to get emails or something, like “whats new in the log the past 15min”.
    But it doesnt look like thats how people use Suricata?
    So i guess i should set up some logcheck/iwatch/whatever mechanism for this, right?

  4. suricata-update creates a rules file in /var/lib/suricata/rules/, and that gets loaded (see conf below).
    But the rules files in /etc/suricata/rules/ dont seem to get loaded, should they? (i tried adding a custom rule to one to check, and couldnt get it triggered).
    Also, the files in /etc/suricata/rules/ are not updated by suricata-update. How do these two things relate? :slight_smile:
    My local.rules in /var/lib/suricata/rules/ works fine though.

# the /etc/... line was enabled by default in Debian
default-rule-path: /etc/suricata/rules
#default-rule-path: /var/lib/suricata/rules/

rule-files:
#  - *.rules
  - /var/lib/suricata/rules/suricata.rules
  - /var/lib/suricata/rules/local.rules

wbr / Alex

  1. This depends on your requirements, but in general a daily update and reload is good since most rule vendors also update daily.

  2. You can fine tune the eve.json output by the types section, see 12.1. Suricata.yaml — Suricata 8.0.0-dev documentation for more details. When you just run the alerts you will only receive the alert event type including some metadata. But you will loose a bit more context that is provided by the other event types.

  3. Many people use post processing tools and log aggregation to handle the amount of logs. There they create dashboards or other types of helping tools.

  4. This depends on your suricata.yaml file and also on how you configured suricata-update. You need to make sure that suricata-update writes the rule file to the directory that is configured in the suricata.yaml.

  1. yeah, so just putting that in a cron-job? an update and a reload i mean

  2. yepp, have managed to tune it so i get a lesser amount now:)

  3. ok, i’ve set up so that i get emails about alerts:)

  4. yes, suricata-update does write to /var/lib/suricata/rules/suricata.rules

When i run the update i can see a bunch of lines like this
“Loading distribution rule file /etc/suricata/rules/app-layer-events.rules”

But not for all files in /etc/suricata/rules/. Not for ssh.rules for instance, that seems to get skipped.

Most/all rules in files in /etc/suricata/rules/… seem to end up in /var/lib/suricata/rules/suricata.rules, but some are commented out in lib even though they arent on etc.

I dont get this:)

The rules files below /etc/ are loaded by the update no matter what i have set default-rule-path to (in suricata.yaml).

I dont get the logic:)