0

I've followed some directions for setting up Graylog and Snort (I used Suricata however) here but it would be nice to be able to see what the Alert payload was which generated the event.

An application named Snorby used to do this beautifully. You could view a hex dump of the payload to better determine the criticality of an event. As far as I know, development on Snorby ceased quite some time ago. Does anyone know if there's a way to get this sort of functionality with Graylog/Suricata? I guess if Suricata can save the payload somehow, it could be sent to Graylog somehow just not sure what mechanism would be best.

AlirezaK
  • 316
  • 3
  • 20
Server Fault
  • 3,454
  • 7
  • 48
  • 88

1 Answers1

0

I use EveBox to see the Suricata's alerts, events and so on. It can also show the graph report if you use Elasticsearch.

The EveBox is a web-based Suricata "eve" event viewer for Elastic Search.

Features:

  • A web-based event viewer with an "Inbox" approach to alert management. Event search.
  • An agent for sending Suricata events to the EveBox server (but you can use Filebeat/Logstash instead).
  • Embedded SQLite for self-contained installations.

Suricata web-based report

AlirezaK
  • 316
  • 3
  • 20