How to detect the restored http raw log with rule engine?


In our idc enviroment we don’t have any traffic SPAN enviroment, we just have restored http raw log in message queue. So We want to split the detection function of suricata, let suricata only detect the raw http log base on rule Engine.

We just want to know whether suricata have APIs or Interfaces to receive the log, we can formate the httplog to suricata supported.

If suricata do not have any interface, How do we do some customized development based on the existing function module in the source code?


Suricata is created to process network traffic and not logs.
Reusing the detection logic for a new log processing engine sounds like a huge amount of work for something that can be achieved using different means.

I would look into ingesting the logs into elasticsearch, splunk or some solution like that and create some detection logic there.

Thanks so much for your reply.
We just want to know whether have some method to detect http log based on existing suricata rule efficiently.
The rule engine of suricata have become standard high performance rule-based detection engine,so we want to use the engine module directly, then adjust the restored http log to suricata supported input format, maybe it’s a huge amount of work yet.