Awesome
Lilith
Lilith reads in EVE files from Suricata and Sagan into PostgreSQL.
From there that data can then be searched and information on specific events fetched.
Intalation
Debian
apt-get install zlib1g-dev cpanminus libjson-perl libtoml-perl \
libdbi-perl libfile-readbackwards-perl libdigest-sha-perl libpoe-perl \
libfile-slurp-perl libdbd-pg-perl
cpanm Lilith
FreeBSD
pkg install p5-App-cpanminus p5-JSON p5-TOML p5-DBI \
p5-File-ReadBackwards p5-Digest-SHA p5-POE \
p5-MIME-Base64 p5-Gzip-Faster p5-DBD-Pg p5-File-Slurp
cpanm Lilith
Source
perl Makefile.PL
make
make test
make install
Setup
First you need to setup your PostgreSQL server.
createuser -D -l -P -R -S lilith
createdb -E UTF8 -O lilith lilith
Setup /usr/local/etc/lilith.toml
dsn="dbi:Pg:dbname=lilith;host=192.168.1.2"
pass="WhateverYouSetAsApassword"
user="lilith"
# a handy one to ignore for the extend as it is spammy
class_ignore=["Generic Protocol Command Decode"]
Now we just need to setup the tables.
lilith -a create_tables
If using snmpd.
extend lilith /usr/local/bin/lilith -a extend
--help
--config <ini> Config INI file.
Default :: /usr/local/etc/lilith.ini
-a <action> Action to perform.
Default :: search
Action :: run
Description :: Runs the ingestion loop.
Action :: class_map
Description :: Display class to short class mappings.
Action :: create_tables
Description :: Creates the tables in PostgreSQL.
Action :: event
Description :: Fetch the information for the specified event.
Either --id or --event is needed.
--id <row id> Row ID to fetch.
Default :: undef
--event <id> Event ID to fetch.
Default :: undef
Action :: extend
Description :: LibreNMS style SNMP extend.
-m <minutes> How far backt to go in minutes.
Default :: 5
-Z LibreNMS style compression, gzipped and
then base64 encoded.
Default :: undef
Action :: search
Description :: Searches the specified table returns the results.
--ouput <return> Return type. Either table or json.
Default :: table
-t <table> Table to search. suricata/sagan
Default :: suricata
-m <minutes> How far backt to go in minutes.
Default :: 1440
--order <clm> Column to order by.
Default :: timestamp
--limit <int> Limit to return.
Default :: undef
--offset <int> Offset for a limited return.
Default :: undef
--orderdir <dir> Direction to order in.
Default :: ASC
* IP Options
--si <src ip> Source IP.
Default :: undef
Type :: string
--di <dst ip> Destination IP.
Default :: undef
Type :: string
--ip <ip> IP, either dst or src.
Default :: undef
Type :: complex
* Port Options
--sp <src port> Source port.
Default :: undef
Type :: integer
--dp <dst port> Destination port.
Default :: undef
Type :: integer
-p <port> Port, either dst or src.
Default :: undef
Type :: complex
* Host Options
--host <host> Host.
Default :: undef
Type :: string
--hostl Use like for matching host.
Default :: undef
--hostN Invert host matching.
Default :: undef
--ih <host> Instance host.
Default :: undef
Type :: string
--ihl Use like for matching instance host.
Default :: undef
--ihN Invert instance host matching.
Default :: undef
* Instance Options
--i <instance> Instance.
Default :: undef
Type :: string
--il Use like for matching instance.
Default :: undef
--iN Invert instance matching.
Default :: undef
* Class Options
-c <class> Classification.
Default :: undef
Type :: string
-cl Use like for matching classification.
Default :: undef
--cN Invert class matching.
Default :: undef
* Signature Options
-s <sig> Signature.
Default :: undef
Type :: string
-sl Use like for matching signature.
Default :: undef
--sN Invert signature matching.
Default :: undef
* In Interface Options
-if <if> Interface.
Default :: undef
Type :: string
-ifl Use like for matching interface.
Default :: undef
--ifN Invert interface matching.
Default :: undef
* App Proto Options
-ap <proto> App proto.
Default :: undef
Type :: string
-apl Use like for matching app proto.
Default :: undef
--apN Invert app proto matching.
Default :: undef
* Rule Options
--gid <gid> GID.
Default :: undef
Type :: integer
--sid <sid> SID.
Default :: undef
Type :: integer
--rev <rev> Rev.
Default :: undef
Type :: integer
* Types
Integer :: A comma seperated list of integers to check for. Any number
prefixed with a ! will be negated.
String :: A string to check for. May be matched using like or negated via
the proper options.
Complex :: A item to match.