Integrating Moloch and Suricata
- Authors : Tomáš Mokoš, Miroslav Kohútik
In this article we will show you how to integrate alerts generated by IDS Suricata into network traffic capture tool Moloch.
Installation guides for Moloch and Suricata can be found here and here, respectively.
Moloch archives network traffic to which it provides fast and organized access, however, Moloch does not provide any security measures for said traffic by itself. On the other hand, Suricata IDS surveils the monitored traffic and creates signatures that provide information about threats, but does not provide any GUI to display them.
Since version 1.5 (released on 16.7.2018), Moloch supports a plugin for importing Suricata alerts. Suricata and Moloch must be running on the same machine for the plugin to work. Data generated by Suricata can be accessed in Moloch’s web UI in the Sessions and SPI View tabs. All sessions containing Suricata data can be found by using query suricata.signature == EXISTS! in Moloch’s search bar. This solution does not feature a special Suricata UI inside Moloch, it just adds new fields to Moloch data. To add this plugin, you need to add suricata.so to the list of plugins and specify the path to eve.json file in the Moloch configuration file.
Append the following lines to the Moloch config file located in /data/moloch/etc/config.ini :
pluginsDir=/data/moloch/plugins
plugins= suricata.so;
suricataAlertFile=/var/log/suricata/eve.json
suricataExpireMinutes=60
The Suricata fields should now appear in Sessions and SPI View