On 4 May 2017 at 13:20, Hans-J. Ullrich <[email protected]> wrote: > > 1. On my netbook I regularly change the interface, which is connected to the > internet. So maybe some day I need eth0, the next day wlan0 and also ppp0 > (via UMTS) is often in use. > > I want suricata check all the interfaces. All shall have the same ruleset. > How can I tell suricata to do so, if possible at all? One solution may be, to > create and start suricata with a seperate configuration for eth0, one for > wlan0 and one for ppp0. But that is annoying. In snort it was possible, just > to tell which interfaces shall be included, it was very easy. Hope there is a > same easy way in suricata. >
This is a missing feature. I will alert upstream developers about this request. > 2. I could not find, how to get alerted, when suricata detects bad traffic. > IMO suricata.log might show it, but I want to be alerted as fast as possible. > My idea and suggestion for this problem: Please add a configuration file for > "logcheck", that recognizes an active attack. I believe, also suricata is > using keywords in its log, which shows an active attack. Good idea? > Please check the docs [0] :) I guess your relevant sections are rules, output and configuration. In addition, for the integration with logcheck, perhaps we can tune logcheck itself. This seems like something to be done in the logcheck side. > 3. I found no GUI for managing and configuring suricata. A little Google > search brought me to snorby, which is for snort, but shall also be usable for > suricata. IMO the GUI does not need a web interface, a simple ncurses > interface will be fine enough. Do you know about such one? This point is not > so important, but would be nice to have. > Some programs exists. Take a look at scirius [1] for example. Unfortunately, scirius is not packaged in debian yet. [0] http://suricata.readthedocs.io/en/latest/ [1] https://www.stamus-networks.com/open-source/
