GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jasonish → Evebox

jasonish / Evebox

Licence: agpl-3.0
Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search

Programming Languages

rust
11053 projects

Labels

securityidsnetsecsuricata

Projects that are alternatives of or similar to Evebox

Selks
A Suricata based IDS/IPS distro
Stars: ✭ 707 (+147.2%)
Mutual labels:  ids, suricata
TheBriarPatch
An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS
Stars: ✭ 21 (-92.66%)
Mutual labels:  suricata, ids
Suricata Rules
Suricata IDS rules 用来检测红队渗透/恶意行为等,支持检测CobaltStrike/MSF/Empire/DNS隧道/Weevely/菜刀/冰蝎/挖矿/反弹shell/ICMP隧道等
Stars: ✭ 397 (+38.81%)
Mutual labels:  ids, suricata
Suricata Update
The tool for updating your Suricata rules.
Stars: ✭ 143 (-50%)
Mutual labels:  ids, suricata
docker-suricata
A Suricata Docker image.
Stars: ✭ 120 (-58.04%)
Mutual labels:  suricata, ids
fever
fast, extensible, versatile event router for Suricata's EVE-JSON format
Stars: ✭ 47 (-83.57%)
Mutual labels:  suricata, netsec
Py Idstools
idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)
Stars: ✭ 205 (-28.32%)
Mutual labels:  ids, suricata
gonids
gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/
Stars: ✭ 140 (-51.05%)
Mutual labels:  suricata, ids
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-73.78%)
Mutual labels:  netsec
Remote-Integrity-Tool
The DearBytes remote integrity tool is an IDS (Intrusion Detection System) that keeps track of files on a remote server and logs an event if a file gets added, removed or modified.
Stars: ✭ 12 (-95.8%)
Mutual labels:  ids
ProbeManager
Centralize Management of Intrusion Detection System like Suricata Bro Ossec ...
Stars: ✭ 73 (-74.48%)
Mutual labels:  ids
Home-Lab
This is the network diagrams, configuration guides, and hardware used for my home lab.
Stars: ✭ 62 (-78.32%)
Mutual labels:  netsec
brimcap
Convert pcap files into richly-typed ZNG summary logs (Zeek, Suricata, and more)
Stars: ✭ 22 (-92.31%)
Mutual labels:  suricata
rdppot
RDP honeypot
Stars: ✭ 55 (-80.77%)
Mutual labels:  suricata
avain
A Modular Framework for the Automated Vulnerability Analysis in IP-based Networks
Stars: ✭ 56 (-80.42%)
Mutual labels:  netsec
harsh
Hashids implementation in Rust
Stars: ✭ 48 (-83.22%)
Mutual labels:  ids
Sysmon Config
Sysmon configuration file template with default high-quality event tracing
Stars: ✭ 3,287 (+1049.3%)
Mutual labels:  netsec
nsm-attack
Mapping NSM rules to MITRE ATT&CK
Stars: ✭ 53 (-81.47%)
Mutual labels:  suricata
NIDS-Intrusion-Detection
Simple Implementation of Network Intrusion Detection System. KddCup'99 Data set is used for this project. kdd_cup_10_percent is used for training test. correct set is used for test. PCA is used for dimension reduction. SVM and KNN supervised algorithms are the classification algorithms of project. Accuracy : %83.5 For SVM , %80 For KNN
Stars: ✭ 45 (-84.27%)
Mutual labels:  ids
docker-zeek
Zeek IDS Dockerfile
Stars: ✭ 82 (-71.33%)
Mutual labels:  ids
View All Similar Projects ➔

EveBox Documentation Status

EveBox is a web based Suricata "eve" event viewer for Elastic Search.

EveBox

Features

  • A web based event viewer with an "Inbox" approach to alert management.
  • Event search.
  • An agent for sending Suricata events to the EveBox server (but you can use Filebeat/Logstash instead).
  • Embedded SQLite for self-contained installations.

Requirements

  • Suricata - to generate alerts and events.

And one of...

  • An existing ElasticSearch/Logstash (version 6 or greater) setup already handling Suricata events (EveBox has issues with Filebeat indices at this time).
  • Just Elastic Search, using EveBox or the EveBox agent to add events.
  • Nothing - EveBox can use an embedded SQLite database suitable for lower load installations (note: not all features supported yet).
  • A modern web browser.

Installation.

Download a package and run the evebox application against your existing Elastic Search server.

Example:

./evebox server -e http://localhost:9200

Then visit http://localhost:5636 with your browser.

The latest release builds can be found at https://evebox.org/files/release/latest/.

The latest development builds (from git master) can be found at https://evebox.org/files/development/

A RPM and Debian package repository are also available.

SELKS

EveBox is also included in SELKS which provides Suricata and an ELK stack configured and ready to go.

Docker

If you wish to install EveBox with Docker an up to date image is hosted on Docker hub.

Example:

docker pull jasonish/evebox:latest
docker run -it -p 5636:5636 jasonish/evebox:latest -e http://elasticsearch:9200

replacing your http://elasticsearch:9200 with that of your Elastic Search URL. You most likely do not want to use localhost here as that will be the localhost of the container, not of the host.

OR if you want to link to an already running Elastic Search container:

docker run -it -p 5636:5636 --link elasticsearch jasonish/evebox:latest

Then visit http://localhost:5636 with your browser.

This should not require any modification to your Elastic Search configuration. Unlike previous versions of Evebox, you do not need to enable dynamic scripting and CORS.

Usage

EveBox runs as a server exposing a web interface on port 5636 by default.

With an Existing Elastic Search Server With Events

The basic mode where eve events are being sent to Elastic Search with Logstash and or Filebeat.

evebox server -e http://elasticsearch:9200

With the Embedded SQLite Database

This is useful if you don't have Elastic Search and running EveBox on the same machine as Suricata. It uses an embedded SQLite database for events and is suitable for ligher loads. Currently SQLite does not support reporting.

evebox server -D . --datastore sqlite --input /var/log/suricata/eve.json

More documentation can be found at http://evebox.readthedocs.io/en/latest/.

Building EveBox

EveBox consists of a JavaScript frontend, and a very minimal backend written in Go. To build Evebox the following requirements must first be satisfied:

  • Node.js v12.16.1 or newer installed.
  • Latest Rust stable.

First checkout EveBox:

git clone https://github.com/jasonish/evebox.git ~/projects/evebox

Then to build the binary:

make

Or to build a release package:

make dist

If you don't want to bother with the required development tools, but do have Docker installed, you can build a Linux release with the following command:

./build.sh linux

Possible Issues

JavaScript heap out of memory

If you get a JavaScript out of memory issue while building, try setting the following environment variable and rebuild:

export NODE_OPTIONS="--max-old-space-size=4096"

Run in Development Mode

./dev.sh -e http://elasticsearch:9200

to run in development mode using an Elastic Search datastore at http://elasticsearch:9200.

The connect your browser to http://localhost:4200. Note this port is different than the EveBox port, as the Angular CLI/Webpack development server is used to serve up the web application with backend requests being proxied to the Go application.

In development mode changes to Go files will trigger a recompile/restart, and changes to the web app will trigger a recompile of the javascript and a browser refresh.

Change Log

See https://github.com/jasonish/evebox/blob/master/CHANGELOG.md .

License

Affero GPL. https://www.gnu.org/licenses/agpl-3.0.en.html

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].