regit
commented
5 years ago hello @Potrik98, it is available as part of our Enterprise offer. We are using another Django application than suricata) to do that.
Open Potrik98 opened 5 years ago
regit
commented
5 years ago hello @Potrik98, it is available as part of our Enterprise offer. We are using another Django application than suricata) to do that.
hoaivan
commented
5 years ago @Potrik98 could you outline what to do to support multiple suricata probes? I might able to give a hand.
Potrik98
commented
5 years ago @hoaivan If you take a look at the features implemented in #184, this should cover the two problems above. The PR adds functionality for displaying data from multiple probes, and enabling/disabling them showing data only for the selected probes. This is only on the /rules and /suricata pages, but for us this is sufficient for the time being. Using different rulesets on different probes, and pushing to different probes is currently not possible, but this functionality could be useful for some people. We use the same ruleset on all probes, and have our own system for pushing the scirius.rules file when it's changed, so the functionality from #184 is sufficient.
hoaivan
commented
5 years ago You're the man @Potrik98
I have alerts from multiple suricata hosts. On the /rules/ page, the rules table and the trends chart are populated with data from all suricata hosts, however the timeline is only populated with data from the first added host, usually named 'suricata'. Referencing https://github.com/StamusNetworks/scirius/blob/732d8ab0a67453af91ea5246e67ec9986c8b4bb2/suricata/models.py#L94 and https://github.com/StamusNetworks/scirius/blob/732d8ab0a67453af91ea5246e67ec9986c8b4bb2/rules/views.py#L58 we see that only the first suricata host is selected when setting the value of the probes field. Changing this line to return all suricata hosts temporarily resolves this issue.
On the /suricata/ page only data from the first suricata probe (usually named 'suricata') appears, and it is not possible to check data from other suricata probes. Referencing https://github.com/StamusNetworks/scirius/blob/732d8ab0a67453af91ea5246e67ec9986c8b4bb2/suricata/views.py#L51 and https://github.com/StamusNetworks/scirius/blob/732d8ab0a67453af91ea5246e67ec9986c8b4bb2/suricata/views.py#L61 As this sets the value of the context variable suricata, which is not a list, I was unable to implement the same hotfix here, this probably requires a bit more work.
The main question is what kind of support for multiple suricata probes is planned in Scirius, as there already exists some functionality for this in the codebase, it is just not fully implemented all the way through.