Skip to content

harkirat22/suricata-listener

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Suricata Listener

Suricata Listener is a tool designed to continuously monitor and process logs generated by Suricata, an IDS/IPS system, providing real-time analysis and potential threat mitigation.

Features

Real-time Log Processing: Actively listens for new logs and processes them immediately. It uses fsnotify to keep a watch on the new entries to eve.json log file generated by suricata.

Integration with Kubernetes: Can be deployed as a DaemonSet to monitor Suricata logs across nodes.

Policy Enforcement with OPA: Leverages Open Policy Agent (OPA) to evaluate Suricata alerts against defined policies.

Prerequisites

A running Suricata setup. Use this repo to deploy it in GKE using OIDC authentication ( https://github.com/harkirat22/falcon-suricata-gke-deployment)

Kubernetes cluster for DaemonSet deployment.

Docker, if running in containers.

Installation & Deployment

Docker

To build and run the Suricata Listener using Docker: docker build -t suricata-listener . docker run -v /path/to/suricata/logs:/var/log/suricata suricata-listener

Kubernetes

Refer to the provided Terraform configuration to deploy Suricata Listener as a DaemonSet in a Kubernetes cluster. Link: https://github.com/harkirat22/falcon-suricata-gke-deployment

Usage

Once deployed, the Suricata Listener will continuously monitor the designated log directory (/var/log/suricata by default) for new log entries in eve.json which has a structure of a newline-delimited JSON (NDJSON) format.

When an alert is detected, it will evaluate the entry against the defined policies in OPA.

About

k8s listener for suricata-alerts

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published