A collection for the Suricata IDS/IPS. This collection contains :

• Parsers for Suricata logs (both fast.log and eve.json formats)
• Scenarios for Suricata alerts :
  • trigger ban on Major (severity:1) rules
  • trigger ban on >2 distinct rules of severity 2

Note: Tested with Suricata 6

Example acquisition for this collection :

1filename: /var/log/suricata/eve.json
2labels:
3  type: suricata-evelogs

or

1filename: /var/log/suricata/fast.log
2labels:
3  type: suricata-fastlogs

notes :

• Using both acquisitions simultaneously will lead to double decisions or unpredictable behavior. eve.json should be preferred.
• Depending on your distribution/OS, paths to log files might change
• Only relevant if you are manually installing collection