A few months ago, I wrote a blog entry worth reading if you lack context on installing Suricata on Debian with banyard and syslog support. During my original research, Suricata 2.0 was under development but has since been released. What is very interesting about this is its JSON support.
I am using Debian Wheezy but I did not want to install from sources nor upgrade to sid. So I ended up recompiling libhtp1 and suricata 2.0 for wheezy, which you can now download right here:
- libhtp1_0.5.11-1_amd64.deb (md5sum: 5578bd3d5022530d34a6e876de3331b6 / sha1sum: 06b7ca7778c4415877c688ce8fc7295b37178bae)
- suricata_2.0.0-1_amd64.deb (md5sum: 92b7cd509c2e8a577aac69e4143a35b4 / sha1sum: b7a661e5c8471d2b322f3bcd9ae09037517f1ddf)
These packages have been compiled on my own wheezy server with latest patches installed. I have also installed libjansson4 and compiled suricata 2.0 with JSON support (Debian suricata on wheezy disables JSON support by default).
It will then allow you to output JSON directly to a file, I advise you to take a look at that link on Logstash Kibana and Suricata JSON output if you need more information on how to enable this with your logstash/kibana installation.
You can install some nice dashboards for suricata to use in Kibana, I have been using these ones lately.
I will write a bit later on tidying your alerts.