Displaying 1 to 12 from 12 results

vagrant-ids - An Ubuntu 16.04 build containing Suricata, PulledPork, Bro, and Splunk

  •    Shell

Suricata is configured to startup using the sole "ens32" interface. Rules are stored in /etc/suricata/rules.After installation, Suricata will perform two curl commands to ensure that the detection engine and logging are functioning properly. However, please note that the vagrant build will continue even if the tests fail.

suricata-verify-old - Suricata Verification Tests - Testing Suricata Output

  •    Python

These are tests that run Suricata with a specific configuration and/or inputs and verify the outputs. Create a directory that is the name of the new test.

docker-suricata - A Suricata Docker image.

  •    Shell

which will map the logs directory (in your current directory) to the Suricata log directory in the container so you can view the Suricata logs from outside the container. This will expose /var/log/suricata from the Suricata container as /var/log/suricata in the Logstash container.

evebox - Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search

  •    Go

EveBox is a web based Suricata "eve" event viewer for Elastic Search. And one of...




py-idstools - idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)

  •    Python

py-idstools is a collection of Python libraries for working with IDS systems (typically Snort and Suricata). See the idstools unified2 documentation for more information on read and parsing unified2 files.

suricata-verify - Suricata Verification Tests - Testing Suricata Output

  •    Python

These are tests that run Suricata with a specific configuration and/or inputs and verify the outputs. Create a directory that is the name of the new test.

pcapdj - pcapdj - dispatch pcap files

  •    C

Network captures often result in very large files. Therefore, tools like tcpdump or dumpcap offer features of file rotation either after a fixed size or a fixed amount of time. When these files are analyzed focusing on stateful protocols such as TCP, TCP sessions could have been established in one pcap file and continue in the next pcap files. When these TCP sessions have to be properly reassembled, then either the TCP reassembly tool has to support multiple pcap files as input or the pcap files have to merged in a single file using for instance a tool such as editcap. However, in this case, very large files are the results, that were tried to be avoided with the file rotation.


nfr - A lightweight tool to score network traffic and flag anomalies

  •    Go

NFR is a lightweight application which processes network traffic using the AlphaSOC Analytics Engine. NFR can monitor log files on disk (e.g. Microsoft DNS debug logs, Bro IDS logs) or run as a network sniffer under Linux to score traffic. Upon processing the data, alerts are presented in JSON format for escalation. NFR expects to find its configuration file in /etc/nfr/config.yml. You can find an example config.yml file in the repository's root directory. The file defines the AlphaSOC Analytics Engine location and configuration, input preferences (e.g. log files to monitor), output preferences, and other variables. If you already have AlphaSOC API key, update the file with your key and place within the /etc/nfr/ directory.

balboa - server for indexing and querying passive DNS observations

  •    Go

balboa is the BAsic Little Book Of Answers. It consumes and indexes observations from passive DNS collection, providing a GraphQL interface to access the aggregated contents of the observations database. We built balboa to handle passive DNS data aggregated from metadata gathered by Suricata. The API should be suitable for integration into existing multi-source observable integration frameworks. It is possible to produce results in a Common Output Format compatible schema using the GraphQL API. In fact, the GraphQL schema is modelled after the COF fields.

fever - fast, extensible, versatile event router for Suricata's EVE-JSON format

  •    Go

The Fast, Extensible, Versatile Event Router (FEVER) is a tool for fast processing of events from Suricata's JSON EVE output. What is meant by 'processing' is defined by a number of modular components, for example facilitating fast ingestion into a database. Other processors implement collection, aggregation and forwarding of various metadata (e.g. aggregated and raw flows, passive DNS data, etc.) as well as performance metrics. It is meant to be used in front of (or as a replacement for) general-purpose log processors like Logstash to increase event throughput as observed on sensors that see a lot of traffic.