Skip to content

Instantly share code, notes, and snippets.

@jstrosch
Last active May 30, 2024 20:19
Show Gist options
  • Save jstrosch/d9e31d364a80714856eb70fcf6f9b13f to your computer and use it in GitHub Desktop.
Save jstrosch/d9e31d364a80714856eb70fcf6f9b13f to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
PCAPFILE=$1
LOG_LOCATION='/tmp/suricata/'
if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then
echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file."
exit 1;
fi
if [ ! -d "$LOG_LOCATION" ]; then
echo "Attempting to create Suricata log directory..."
mkdir "$LOG_LOCATION"
else
echo "Log location exists, removing previous content..."
rm -rf "$LOG_LOCATION/"*
fi
# Run Suricata in offline mode (i.e. PCAP processing)
suricata -c /etc/suricata/suricata.yaml -k none -r $1 --runmode=autofp -l /tmp/suricata/
#print out alerts
echo -e "\nAlerts:\n"
grep '"event_type":"alert"' /tmp/suricata/eve.json |jq '"\(.timestamp) | \(.alert.gid):\(.alert.signature_id):\(.alert.rev) | \(.alert.signature) | \(.alert.category) | \(.src_ip):\(.src_port) -> \(.dest_ip):\(.dest_port)"'
# If you have Evebox installed, you can comment out this line to launch it in oneshot mode
# evebox oneshot "$LOG_LOCATION/eve.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment