-
Notifications
You must be signed in to change notification settings - Fork 30
4. Configuration
Suricata configurations can be found in config/suricata/etc/suricata.yaml file.
The EVE output facility outputs alerts, anomalies, metadata, file info and protocol specific records through JSON. eve.json is a firehose approach where all these logs go into a single file.
Modify the eve-log contents under outputs of the suricata.yaml according to the requirement. To disable some protocol logging set enabled: false, similarly to enable set enabled: true. More logging features can also be added.
Keep in mind adding more protocol and more data entries to Elasticsearch also adds too much noise, which makes analysis much more time consuming
Link to EVE output documentation: https://suricata.readthedocs.io/en/suricata-6.0.3/output/eve/eve-json-output.html
PcapMonkey uses some zeek packages listed on config/zeek/site/. Modify the local.zeek file to according the requirement. New packages can also be imported, just add the package sources in the directory and load them in local.zeek.