scirius icon indicating copy to clipboard operation
scirius copied to clipboard
verified publisher icon StamusNetworks

Supporting Humio and multiple Suricata probes

Open Potrik98 opened this issue 6 years ago • 1 comments

Supporting Humio and multiple Suricata probes

Adds support for using Humio as an optional replacement of ElasticSearch

Replicated ElasticSearch functionality in Humio

  • /rules: alerts activity, alerts trend and rules activity
  • /rules/rule/pk/: ip and time stats, advanced data
  • /suricata: rules activity and alerts activity (including sunburst graph)
  • When using Humio, the ElasticSearch status indicator and status page is replaced with a Humio status indicator and status page.
  • /rules/hunt: dashboard, signatures and alerts works the same, including filtering.

Humio can be selected as one of the possible backends in settings.py.

Multiprobe support (#178)

  • Show data from multiple Suricata probes consistently across different ui elements
  • Selecting (enable/disable) probes on the timeline graph. This automatically filters the rules table on /rules, and the rules table and sunburst graph on the /suricata page

Dynamic interaction (required by our multiprobe features)

  • When ordering or filtering a table, the table is updated without having to refresh the page
  • When interacting with the sunburst on /suricata or the timeline on /rules or /suricata, the other ui elements are updated accordingly.

Bugfixes

  • Overload the default comparator in the category model resolving the issue of inconsistent results when sorting by category 227398f5eb7359ba8bcd118499524843bf63ba77
  • Undefined variable access in disablecategory command ba50ebfaf485d5ce2e07260a8fbd21a5ae0cebdc
  • Change from floating point to integer on the timeline y axis and update the graph correctly c9c6f0c764c54d4d9e5c75a15b5bb3ba0ba9ba2a
  • Hide the 'Fetching data' text paragraph after the timeline is rendered 4d39fa5282ff0f68c3008461c5b49cb93f3ad1b1
  • Fix filtering on category on the /suricata page when using ElasticSearch with a keyword setting other than 'raw' 12ba989637451f6df6bcf9a44abf265e4f923ea9

Other

  • Add a removesuricata command to manage.py removing a suricata probe by name cf8de6fb9ba82d6b6ff9ab5600975f21bed3d62c
  • Lazy computation of the queryset in RuleHitsOrderingFilter in rest_api, to avoid uneccesarily evaluating the entire queryset for all the rules in the database. This significantly reduces the response time (from ~11s to ~1s on my machine). 93a48f07e059bb943dd531a3a61e74afcedc79c8 ddc1466070e2d66e65f172863df2e037a45dba5e

Potrik98 avatar Aug 02 '19 08:08 Potrik98

Some screenshots (humio as backend)

Alerts activity timeline

screenshot_1564735740

/suricata without selected category

screenshot_1564736531

/suricata with selected category

screenshot_1564735941

/suricata with selected category, ordering by hits

screenshot_1564736027

/suricata with selected category, ordering by -hits

screenshot_1564736074

/rules, ordering by category

screenshot_1564736227

/rules, ordering by -category

screenshot_1564736298

System status

screenshot_1564736166

Alerts trend

screenshot_1564736174

jorgenbele avatar Aug 02 '19 09:08 jorgenbele