Operating Suricata

Operations

#tail -F /var/log/suricata/suricata.log
#tail -F /var/log/suricata/suricata-start.log
tail -F /var/log/suricata/*.log

watch for alerts

tail -F /var/log/suricata/fast.log

status

systemctl status suricata
ps auxww | grep suricata
ls -lkF /var/run/suricata/

reload rules

suricata-update && suricatasc -c reload-rules && echo ALL DONE

and eventually get those into GNU/Screen

vi .screenrc

screen -t "suricata" 0 $HOME/logsuricata
screen -t "fast" 1 $HOME/fast
screen -t "rules" 2

Cleaning-up the mess

systemctl stop suricata
cd /data/suricata/

re-check for some past alerts

grep Compromised *.log | less

mkdir -p ~/backup/
mv *.log ~/backup/

ls -lShrF
rm -f eve.json
find . -empty -type f -exec rm -f {} \;

check for clear-text credentials and shit before you get rid of the dumps

#self verbose
for f in log.pcap.*; do dsniff -c -m -p $f -w dsniff.cmp.$f; done; unset f
rm -f log.pcap*
grep USER dsniff.cmp.log.pcap.*
grep PASS dsniff.cmp.log.pcap.*

w/o multicast

egrep -v '224.0.0.251|^-----------------$|^$' dsniff.cmp.log.pcap.* > ~/backup/creds

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml