On Thu, 04 May 2017 13:20:49 +0200 "Hans-J. Ullrich" <[email protected]> wrote: > Package: suricata > Version: 3.2.1-1 > Severity: wishlist > > Dear Maintainer, > > first, please apologize, as I am new to suricata. Before I used snort, but I believe, suricata is now more modern. > > As this is a wishlist, just allow me shortly to describe, what I am missing: > > 1. On my netbook I regularly change the interface, which is connected to the internet. So maybe some day I need eth0, the next day wlan0 and also ppp0 (via UMTS) is often in use. > > I want suricata check all the interfaces. All shall have the same ruleset. How can I tell suricata to do so, if possible at all? One solution may be, to create and start suricata with a seperate configuration for eth0, one for wlan0 and one for ppp0. But that is annoying. In snort it was possible, just to tell which interfaces shall be included, it was very easy. Hope there is a same easy way in suricata. > > 2. I could not find, how to get alerted, when suricata detects bad traffic. IMO suricata.log might show it, but I want to be alerted as fast as possible. My idea and suggestion for this problem: Please add a configuration file for "logcheck", that recognizes an active attack. I believe, also suricata is using keywords in its log, which shows an active attack. Good idea? > > 3. I found no GUI for managing and configuring suricata. A little Google search brought me to snorby, which is for snort, but shall also be usable for suricata. IMO the GUI does not need a web interface, a simple ncurses interface will be fine enough. Do you know about such one? This point is not so important, but would be nice to have.
You may also want to check it out EveBox. It can run without any external database (it can use SQLite). Its just an alert/event viewer though, whereas Scirius is a rule management tool. https://evebox.org/
