OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: bob@afrinet.eu on July 11, 2018, 11:20:18 am

Title: Suricata as flow loggin engine
Post by: bob@afrinet.eu on July 11, 2018, 11:20:18 am
I think It would be nice to be able to use the suricata flow logging feature as described here :
https://blog.inliniac.net/2014/07/28/suricata-flow-logging/

For the time being there does not seem to have any option in the GUI to send flow to an external loger (beside local log files).

Is there any way to override the configuration of Suricata ?
What are the compile time options used ?

Main idea would be to be able to use Suricata as a Netflow / Flow collector.
I know this is handled using Netflow in OPNSense, but wouldn't the Suricata log collecting be more efficient ?

Furthermore Suricata has the ability to handle bi-directional flows, where Netflow handles them only unidirectional.

Thanks for your answer.
Title: Re: Suricata as flow loggin engine
Post by: mimugmail on July 11, 2018, 12:27:35 pm
I'm not sure if your system will explode if you use Suricata for accounting purposes.
The flows are only logged for a rule match. So you need a rule to match everything ... ??

The files are already locally in /var/log/suricata/eve.json

But only for rule matches ...