Suricata loves EveBox


(Giacomo Sanchietti) #1

Thanks to @filippo_carletti work, we now have a fully revised Suricata implementation.


  • use Emerging Threats rules
  • allow configuration of rule categories from Server Manager: each category can be disabled, enabled only for alerting, enabled for blocking bad traffic
  • EveBox ( ) is now part of the stack and can be used to see a report of blocked/alerted rules

This a screenshot of EveBox on our production firewall:

Enjoy the testing and let us know what do you think!

IPS Categories to enable

Just to verify my memory, Nethserver’s suricata implementation only works inline, not as a standalone using promisc off a tap?

(Filippo Carletti) #3

Yes, inline only, using nfqueue.

(Michael Kicks) #4

It’s in testing repository?

(Marc) #5

Yes. You can find test cases on the issue linked above

(Joel Clendineng) #6

I <3 you guys, been messing with eve box myself, this looks amazing

(Joel Clendineng) #7

Test and working great! Enabled the testing repo but the software center would not allow me to install because of a conflict with ntop but I ssh in and manually installed the packages and its working great. I need to do some reading up on what the different categories mean, but its fantastic. Im sure I can add rules from other sources such as snort/other suricata rules? This is great.

Edit: So I can add .rules files with “ET-****.rule” in the suricata rules folder and it looks like it accepts it, naming is off but its fantastic.

(Giacomo Sanchietti) #8

Packages from testing should always be installed from command line.
EveBox and Suricata don’t conflicts with ntopng, but the new ntopng-pcap package does.

As you fount, actually, the web interface displays all files named “ET-*” from /etc/suricata/rules.
We could add also other file names, what rules do you use? Can you find a pattern name also for them?

(Joel Clendineng) #9

I was just playing with the rules :smile: Whatever pattern you come up with I think is good, this is an amazing addition.

(Joel Clendineng) #10

Hoiw would I go about updating when ntop errors out? ntopng was uninstalled before I installed evebox, not sure why its back.

Edit: as a workaround I did a yum remove of ntopng and ntopng-data so I could update, Ill reinstall if needed for evebox later.

(Kevin Farmer) #11

I have installed from testing repo from CLI:


Rules are downloaded and setup alerts. It’s been 2 days and still no alerts. I even created a local.rules to do some testing and still nothing. My local rule is simply

drop tcp any any -> any any (msg:"facebook is blocked"; content:""; http_header; nocase; classtype:policy-violation; sid:10000001;)

I still get Facebook. What am I missing? I see Drops and Rejects in firewall.log, but noting in Suricata drop.log

(Filippo Carletti) #12

Let’s start looking at suricata logs: