suricata-ipc
Library to enable packet sharing with suricata, and reading alerts from an eve
socket. Alerts read can then use an intel cache to determine additional metadata
about them.
use suricata_ipc::prelude::*;
#[tokio::main]
async fn main() {
let rules = Rules::from_path("my.rules").expect("Failed to parse rules");
let config = Config::default();
let rules = Rules::from_path(resources.join("test.rules")).expect("Could not parse rules");
let cache: IntelCache<Rule> = rules.into();
cache.materialize_rules(config.rule_path.clone()).expect("Failed to materialize rules");
let mut ids = Ids::new(config).await.expect("Failed to create ids");
let ids_alerts = ids.take_alerts().expect("No alerts");
send_packets(&mut ids).await.expect("Failed to send packets");
let alerts: Result<Vec<_>, Error> = ids_alerts.try_collect().await;
let alerts: Result<Vec<_>, Error> = alerts.expect("Failed to receive alerts")
.into_iter().flat_map(|v| v).collect();
let alerts = alerts.expect("Failed to parse alerts");
for eve in alerts {
println!("Eve={:?}", eve);
if let Some(intel) = cache.observed(eve) {
if let Observed::Alert { rule, message: _ } = intel {
println!("Rule={:?}", rule);
}
}
}
}
Develop With Docker
Install lefthook. You can then run
lefthook run develop
Building IPC Plugin
To build the ipc plugin, you will need the suricata source, then set
SURICATA_SRC_DIR=/path/to/suricata
You can then run
lefthook run build-plugin
This will create the plugin in ipc-plugin/build