Skip to content

Commit

Permalink
add Suricata monitoring (librenms#13942)
Browse files Browse the repository at this point in the history 
* add poller

* add a generic alert graph

* add support for .total

* add the initial work on the suricata app page

* add applayer flow sources

* more rrd work and add more fields

* add a missing graph to the suricata page

* add suricata to the apps page

* all working now for suricata

* add some suricata alert examples

* all done with the php

* update the application docs for Suricata

* add another note about Suricata stats in the docs

* add the test file

* add the test JSON

* remove a unneeded newline from the appication docs

* correct the type uptime type

* packets graph should by packets/sec

* minor formatting cleanup

* one more minor formatting cleanup

* shot in the dark to see if something fixes the angry linter

* fix snmpsim file

* add metrics

* add values to the metrics

* add a missing comma to the json

* add a missing line to snmprec and cleanup json a bit

* a few more minor changes to see if this makes it happy... regened via scripts/json-app-tool.php

* see if this will make it happy

* add suricata to app discovery and hope that fixes it... take a shot in the dark as to why the linter errors strangely on two of the files

* fix json

* add a missing ] to the json

* rename two graphs so it does not trigger one alert and add a missing metric

* whoops, *_alertString is not a metric
  • Loading branch information
@VVelox
VVelox authored Apr 26, 2022
1 parent f8d76b0 commit cdf457f
Show file tree
Hide file tree
Showing 20 changed files with 2,402 additions and 0 deletions.
31 changes: 31 additions & 0 deletions doc/Extensions/Applications.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2152,6 +2152,37 @@ extend supervisord /etc/snmp/supervisord.py
systemctl restart snmpd
```

## Suricata

### SNMP Extend

1. Install the extend.
```
cpanm Suricata::Monitoring
```

2. Setup cron. Below is a example.
```
*/5 * * * * /usr/local/bin/suricata_stat_check > /dev/null
```

3. Configure snmpd.conf
```
extend suricata-stats /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin suricata_stat_check -c
```

4. Restart snmpd on your system.

You will want to make sure Suricata is set to output the stats
to the eve file once a minute. This will help make sure that
it won't be to far back in the file and will make sure it is
recent when the cronjob runs.

Any configuration of suricata_stat_check should be done in the cron
setup. If the default does not work, check the docs for it at
[MetaCPAN for
suricata_stat_check](https://metacpan.org/dist/Suricata-Monitoring/view/bin/suricata_stat_check)

## TinyDNS aka djbdns

### Agent
Expand Down
1 change: 1 addition & 0 deletions includes/discovery/applications.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
$applications['osupdate'] = 'os-updates';
$applications['phpfpmsp'] = 'php-fpm';
$applications['postfixdetailed'] = 'postfix';
$applications['suricata-stats'] = 'suricata';
}

d_echo(PHP_EOL . 'Available: ' . implode(', ', array_keys($applications)) . PHP_EOL);
Expand Down
27 changes: 27 additions & 0 deletions includes/html/functions.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1324,6 +1324,33 @@ function get_sensor_label_color($sensor, $type = 'sensors')
return "<span class='label $label_style'>" . trim(Number::formatSi($sensor['sensor_current'], 2, 3, $unit)) . '</span>';
}

/**
* Returns a list of the various suricata instances for
* the specified device id.
*
* @param $device_id
* @return array
*/
function get_suricata_instances($device_id)
{
$options = [
'filter' => [
'type' => ['=', 'suricata'],
],
];

$component = new LibreNMS\Component();
$ourc = $component->getComponents($device_id, $options);

if (isset($ourc[$device_id])) {
$id = $component->getFirstComponentID($ourc, $device_id);

return json_decode($ourc[$device_id][$id]['instances']);
}

return [];
}

/**
* @params int unix time
* @params int seconds
Expand Down
29 changes: 29 additions & 0 deletions includes/html/graphs/application/suricata_alert.inc.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php

$name = 'suricata';
$app_id = $app['app_id'];
$unit_text = 'status';
$colours = 'psychedelic';
$dostack = 0;
$printtotal = 0;
$addarea = 0;
$transparency = 15;

if (isset($vars['instance'])) {
$rrd_filename = Rrd::name($device['hostname'], ['app', $name, $app['app_id'], $vars['instance']]);
} else {
$rrd_filename = Rrd::name($device['hostname'], ['app', $name, $app['app_id']]);
}

$rrd_list = [];
if (Rrd::checkRrdExists($rrd_filename)) {
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'Alert Status',
'ds' => 'alert',
];
} else {
d_echo('RRD "' . $rrd_filename . '" not found');
}

require 'includes/html/graphs/generic_multi_line.inc.php';
154 changes: 154 additions & 0 deletions includes/html/graphs/application/suricata_app_flows.inc.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
<?php

$name = 'suricata';
$app_id = $app['app_id'];
$unit_text = 'flows/sec';
$colours = 'psychedelic';
$dostack = 0;
$printtotal = 0;
$addarea = 0;
$transparency = 15;

if (isset($vars['instance'])) {
$rrd_filename = Rrd::name($device['hostname'], ['app', $name, $app['app_id'], $vars['instance']]);
} else {
$rrd_filename = Rrd::name($device['hostname'], ['app', $name, $app['app_id']]);
}

$rrd_list = [];
if (Rrd::checkRrdExists($rrd_filename)) {
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'DCERPC TCP',
'ds' => 'af_dcerpc_tcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'DCERPC UDP',
'ds' => 'af_dcerpc_udp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'DHCP',
'ds' => 'af_dhcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'DNS TCP',
'ds' => 'af_dns_tcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'DNS UDP',
'ds' => 'af_dns_udp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'Failed TCP',
'ds' => 'af_failed_tcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'Failed UDP',
'ds' => 'af_failed_udp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'FTP',
'ds' => 'af_ftp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'FTP-DATA',
'ds' => 'af_ftp_data',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'HTTP',
'ds' => 'af_http',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'IKEv2',
'ds' => 'af_ikev2',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'IMAP',
'ds' => 'af_imap',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'Krb5 TCP',
'ds' => 'af_krb5_tcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'Krb5 UDP',
'ds' => 'af_krb5_udp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'MQTT',
'ds' => 'af_mqtt',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'NFS TCP',
'ds' => 'af_nfs_tcp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'NFS UDP',
'ds' => 'af_nfs_udp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'RDP',
'ds' => 'af_rdp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'RFB',
'ds' => 'af_rfb',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'SIP',
'ds' => 'af_sip',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'SMB',
'ds' => 'af_smb',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'SMTP',
'ds' => 'af_smtp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'SNMP',
'ds' => 'af_snmp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'ssh',
'ds' => 'af_ssh',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'TFTP',
'ds' => 'af_tftp',
];
$rrd_list[] = [
'filename' => $rrd_filename,
'descr' => 'TLS',
'ds' => 'af_tls',
];
} else {
d_echo('RRD "' . $rrd_filename . '" not found');
}

require 'includes/html/graphs/generic_multi_line.inc.php';
Loading

0 comments on commit cdf457f

Please sign in to comment.