Create customize suricata using bash script

arafatx · September 23, 2021, 6:15am

I know that report in suricata like fast.log can be customized using lua script (fast.lua) but is it possible to use bash script to have the similar custom report like fast.sh? I’m more familar with bash scripting.

Andreas_Herz · September 28, 2021, 9:23pm

There is no direct bash support, no. You could use different outputs, especially the advanced eve output and use postprocessing.

arafatx · September 30, 2021, 3:13am

Thanks for the suggestion. Can we make the eve output only display alert log like fast.log? There are a bunch of JSON data in eve output even if alert is not triggered. I think this can be customized in suricata.yaml, but there are too many of them. Can anyone show me this config that will make eve.json output the similar thing from fast.log ?

ish · September 30, 2021, 5:08am

In your suricata.yaml you will want to limit the types that are logged to just alert. See this part of the YAML:

github.com

OISF/suricata/blob/master/suricata.yaml.in#L155

    
      
            mode: extra-data
            # Two proxy deployments are supported: "reverse" and "forward". In
            # a "reverse" deployment the IP address used is the last one, in a
            # "forward" deployment the first IP address is used.
            deployment: reverse
            # Header name where the actual IP address will be reported. If more
            # than one IP address is present, the last IP address will be the
            # one taken into consideration.
            header: X-Forwarded-For
          
          
types:
            - alert:
                # payload: yes             # enable dumping payload in Base64
                # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
                # payload-printable: yes   # enable dumping payload in printable (lossy) format
                # packet: yes              # enable dumping of packet (without stream segments)
                # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
                # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
                # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
          
          
      # Enable the logging of tagged packets for rules using the

And remove all types from that array except alert, and you will only get alerts. It’ll still be JSON, but should align with what you see in fast.log.

arafatx · September 30, 2021, 1:41pm

Thank you so much, I will try this.

Topic		Replies	Views
Rules and log files	1	1267	November 28, 2023
Performance of Lua-Output in high-alert throughput Developers rules , suricata , lua	4	721	February 2, 2023
Suricata eve.JSON in Security Onion Help ips , community	4	1193	May 14, 2021
Suricata does not generate the fast.log file Help	5	3033	October 7, 2020
Fast.log not being written to Help suricata	13	146	September 9, 2024

Create customize suricata using bash script

Related topics