So, i have installed Suricata 6.0.10 on a Debian 12 router (from apt).
Yes, its a bit old i know, i might install a newer one if i get things properly working (for me), but thats for later:) 6.0.10 is what Debian provides for now.
I have enabled a few more sources (other than et/open).
And I have tuned out a lot of noise with disable.conf and appending “not net a.b.c.d/x” to the startup command, and such.
The eve.json grows so fast that its currently disabled.
-
Updating rules regularly.
Its just creating a cron-job with suricata-update and a reload of the service? Like once a day? -
Can i somehow get only “alert-related” events in eve.json? (or somewhere else)
I would like to get some more info about alerts, but i dont want everything saved in eve.json.
For instance, an alert about some device having resolved a TOR hostname (.onion) - which hostname did it resolve? -
Does everyone use a dashboard of some kind to sometimes review whats going on?
Personally (once i have tuned out even more noise) i think i would like to get emails or something, like “whats new in the log the past 15min”.
But it doesnt look like thats how people use Suricata?
So i guess i should set up some logcheck/iwatch/whatever mechanism for this, right? -
suricata-update creates a rules file in /var/lib/suricata/rules/, and that gets loaded (see conf below).
But the rules files in /etc/suricata/rules/ dont seem to get loaded, should they? (i tried adding a custom rule to one to check, and couldnt get it triggered).
Also, the files in /etc/suricata/rules/ are not updated by suricata-update. How do these two things relate?
My local.rules in /var/lib/suricata/rules/ works fine though.
# the /etc/... line was enabled by default in Debian
default-rule-path: /etc/suricata/rules
#default-rule-path: /var/lib/suricata/rules/
rule-files:
# - *.rules
- /var/lib/suricata/rules/suricata.rules
- /var/lib/suricata/rules/local.rules
wbr / Alex