Can I use a Suricata IDS alert to trigger some python code?

Can anyone offer any advice regarding the above question?
Basically, I have a small program written in python that I would like to start when Suricata triggers a specific alert.

I would like a solution that does not require an interactive logon (such as by reading from stdout for example).

As you can probably tell I’m new to Suricata so I’m struggling to understand how I might achieve this?

Any help gratefully received.


The easiest might be to run your python code on the eve.json? Parsing it with python is fairly easy.

OK thanks.

The code will run on the same machine that is hosting suricata and I need the code to trigger the instant the alert comes in. Is it possible to configure an eve.json with a Unix domain socket that my code listens on so it will trigger as soon as the alert appears in that log or is there an easier way?


Keep in mind that Suricata connects to a socket, it doesn’t create it. So you’ll have to set the socket up.

The EVE config should be limited to just logging alerts probably. You can have multiple eve instances if you need regular eve logging as well.

Ah, great thanks.

So for the output config in Suricata.Yaml for the EVE log I intend to collect data from I want something like this?

Extensible Event Format (nicknamed EVE) event log in JSON format

  • eve-log:
    enabled: yes
    filetype: unix_dgram
    filename: [name of configured socket]

Thanks again for your help.

I think with dgram you might run into record size issues, depending on how much metadata you config the alerts to have. unix_stream might be a safer bet.

I’ll give that a try, thanks very much or your help