Suricata IDS Integration
Overview
Suricata is a high-performance open-source IDS, IPS, and network security monitoring engine. KYRA MDR collects Suricata EVE JSON logs for comprehensive network threat detection. Supports Suricata 6.x and 7.x.
Prerequisites
- A KYRA MDR Collector installed and running
- Suricata installed and configured with active rulesets
- Network connectivity from the Suricata sensor to the collector
- ET Open or ET Pro rulesets
Configuration
Configure Suricata EVE JSON output with syslog:
Edit /etc/suricata/suricata.yaml:
outputs: - eve-log: enabled: yes filetype: syslog identity: suricata facility: local5 level: Info types: - alert - http - dns - tls - files - flowRestart Suricata:
sudo systemctl restart suricataCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Alert | Signature match events | Intrusion detection |
| HTTP | HTTP request and response metadata | Web attack detection |
| DNS | DNS query and response logs | DNS tunneling, C2 detection |
| TLS | TLS handshake metadata | Certificate analysis |
| Flow | Network flow records | Traffic analysis, anomaly detection |
| File | File extraction events | Malware file detection |
Troubleshooting
No EVE output: Verify the EVE log configuration in suricata.yaml. The filetype must be set to syslog.
Missing protocol logs: Each protocol type must be listed under the types section.
Performance issues: Monitor CPU usage and consider tuning the max-pending-packets setting.
Contact kyra@seekerslab.com for support.