Hi All,
I’m just start using Suricata and I love this product.
Just a simple question: is it possibile to limit eve.json output for alerts with “severity:1” or filtering out rules to print only events with severity:1 ?
Thanks a lot for your patience.
Best regards
Hi there,
I am not aware if such a possibility (this is not to say there isn’t!).
What comes to mind are thresholds, but I’m not sure this would be easily achievable nor reasonable to use in such a way, as: i) afaik we don’t have severity as a thresholding option; ii) you could end up having to filter out way too many rules.
May I ask why you want to do that? Is it due to verbosity, or log volume? Would it be acceptable for you to apply a post filter to the log, to get the info you’re looking for (in case log volume isn’t an issue).
Another thing I’d like to point out is that, unless you’re talking about a customized ruleset, the severity of a rule isn’t a guarantee that these are the most important rules for your network profile - traffic, uses, resources to protect…
Hi Ju,
my goal is to receive an email upon an alert with [severity: 1] is raised.
This email will become the start point for investigating deeply on the alert and eventualy on open security flaws.
Anyway I solved the problem with a crontab script that process fast.log.
Thanks a lot for your kind help.
Hi!
you can use suricata-update to disable rules that do not have severity:1 before the engine starts. See suricata-update - Update — suricata-update 1.3.0 documentation
Hi Shivani,
following Ju Fajardini suggestion I think that is better to display only alert with severity:1 but it’s also useful to store whole alerts in case of deep investigations.
So I create a crontab to extract only alert with severity:1
Regards