Suricata

In order to feed an elasticsearch with logstash without an intermediate disk file I am trying to export EVE to an Unix domain socket.

Unfortunately this is not working in suricata 2.0.2 release even with this decanio's patch

Tests made¶

Test	Result
1. fast output as Unix domain stream socket	ok
2. fast output as Unix domain datagram socket	ok
3. EVE output as Unix domain stream socket	not ok
4. EVE output as Unix domain datagram socket	not ok

Tests methods¶

Receiver is netcat-openbsd for Unix domain stream socket or socat for Unix domain datagram socket.

Sender is suricata --pfring and relevant configuration is detailled.

EVE output is fully functionnal to a flat file.

1. receiver: nc -vlkU /srv/suricata/suri_fast.sock
1. sender:

outputs:
  - fast:
      enabled: yes
      filename: suri_fast.sock
      filetype: unix_dgram

2. receiver: socat UNIX-RECVFROM:/srv/suricata/suri_fast.sock,fork STDOUT
2. sender:

outputs:
  - fast:
      enabled: yes
      filename: suri_fast.sock
      filetype: unix_stream

3. receiver: nc -vlkU /srv/suricata/suri_eve.sock
3. sender:

outputs:
  - eve-log:
      enabled: yes
      type: unix_stream
      filename: suri_eve.sock

4. receiver: socat UNIX-RECVFROM:/srv/suricata/suri_eve.sock,fork STDOUT
4. sender:

outputs:
  - eve-log:
      enabled: yes
      type: unix_dgram
      filename: suri_eve.sock

Environment¶

suricata-2.0.2 release with and without decanio's patch (two build tried).

configure line:

dh_auto_configure -- LDFLAGS='-L/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring/' LIBS='-lnuma' --enable-pfring --with-libpfring-libraries=/home/package/PF_RING.svn/userland/lib --with-libpfring-includes=/home/package/PF_RING.svn/userland/lib --with-libpcap-libraries=/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring --with-libpcap-includes=/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring --enable-luajit --with-libluajit-includes=/home/package/libluajit-2.0.3/src --with-libluajit-libraries=/home/package/libluajit-2.0.3/debian/libluajit/usr/local/lib

configure output:

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               yes
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-pc-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no