suricata reporting Scirius, Evebox or Kibana

[lshantz]

I'm fairly new to Opnsense and Suricata. I came from Pfsense and Snort where reporting was built in.

Either I'm totally missing something, or there is no built in reporting for Suricata in Opnsense. I've digging around and found 3 utilities listed above that apparently will do that for me. I do not see any built in support for any of this. So the question is, what am I missing? If I'm not missing something, then can we get a request in for package support for one of the above?

Is it at all possible for me to manually install Scirius into a web server on the box? I can see a HUGE problem trying implement it on an external server and trying to integrate it all.

I activated IPS and within minutes it  blocked a game for a user and because all I can see is raw logs I can't find the rule to clear. In Snort/Pfsense, I could clear a rule within seconds.

Any guidance appreciated.

[mimugmail]

Isnt in the alert tab the message from the rule which you can search for in rules tab?

[lshantz]

Thank you for the reply. There IS an alerts tab, but so far it is blank. Perhaps that is for the IPS mode? I get tons of alerts in the logs file. It is raw data. I would assume that the alerts tab would also be raw data?

In the Snort package on Pfsense, it was fairly intuitive. You get a block, you could easily find it and remove it from the rules. On this, I just get a block and no easy way to determine where or how. For instance, I have a box on 200.63. It gets blocked in a game almost instantly That IP address doesn't show in the log, but it seems that it is being blocked since I can turn IPS off and it starts working again.

[mimugmail]

Uncheck both Log setting related to syslog, then you should see something in alerts tab

[lshantz]

Okay, even though it says that will have no effect? I did as suggested. Will wait for a bit and see what pops up.

Enable syslog alerts
   
Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.
   
Enable eve syslog output
   
Send alerts in eve format to syslog, using log level info. This will not change the alert logging used by the product itself. Drop logs will only be send to the internal logger, due to restrictions in suricata.

Later: WOW!! That did not have the desired affect at all. The box crashed HARD!! The only way I was able to get back was to restore from backup. What I saw on monitor after connecting up via HDMI was "IGP1 MBUF that needs checksum offload" over and over which effectively took the LAN port out. All I did was turn off the syslog stuff as suggested.

We are kind of getting away from the original question anyhow. How do I get a nice reporting tool so I can easily block, unblock and see what is happening easily without gleaning raw output data.
   

[mimugmail]

You dont get it, you shoult NOT use syslog variants

[lshantz]

Oh I get it alright. But turning it off caused the box to hard crash! I would think there should be logic to prevent configuring it to a point it hard crashes like this, but in any event doing as you suggested caused a HUGE mess.

But to my original question, how to I turn on reporting log analysis other than raw data?

[mimugmail]

Crash will most likely come from wrong hyperscan/corasick. Just try to flip.

Theres currently no internal tool for this.

[lshantz]

Do you know if this is in the works?

That is 50% of the battle. If you have not tools for analysis, then it is not very useful.

[mimugmail]

Why not ELK? Others can do better. It would take too mich ressources for local analysis

[lshantz]

Why not Elk? Why not indeed. I know nothing of it. I was doing research and those 3 are all I came up with.

That is incorrect about not able to run a backend for Suricata. It has more than enough horsepower. I used Pfsense with the Snort module which has analysis built in. That is why I felt I must be missing something. To have Suricata and not have the backend is like having a car with no transmission.