本文にスキップ
KYRA MDR KYRA MDR Docs

Suricata IDS Integration

Overview

Suricata is a high-performance open-source IDS, IPS, and network security monitoring engine. KYRA MDR collects Suricata EVE JSON logs for comprehensive network threat detection. Supports Suricata 6.x and 7.x.

Prerequisites

  • A KYRA MDR Collector installed and running
  • Suricata installed and configured with active rulesets
  • Network connectivity from the Suricata sensor to the collector
  • ET Open or ET Pro rulesets

Configuration

Configure Suricata EVE JSON output with syslog:

Edit /etc/suricata/suricata.yaml:

outputs:
  - eve-log:
      enabled: yes
      filetype: syslog
      identity: suricata
      facility: local5
      level: Info
      types:
        - alert
        - http
        - dns
        - tls
        - files
        - flow

Restart Suricata:

Terminal window
sudo systemctl restart suricata

Collected Log Types

Log TypeDescriptionSecurity Use
AlertSignature match eventsIntrusion detection
HTTPHTTP request and response metadataWeb attack detection
DNSDNS query and response logsDNS tunneling, C2 detection
TLSTLS handshake metadataCertificate analysis
FlowNetwork flow recordsTraffic analysis, anomaly detection
FileFile extraction eventsMalware file detection

Troubleshooting

No EVE output: Verify the EVE log configuration in suricata.yaml. The filetype must be set to syslog.

Missing protocol logs: Each protocol type must be listed under the types section.

Performance issues: Monitor CPU usage and consider tuning the max-pending-packets setting.

Contact kyra@seekerslab.com for support.