NAME

check_sureicataflows - A Nagios style check to see if a Suricata flows EVE JSON contains bi-directional flows.

SYNOPSIS

check_suricataflows [-f <flows.json>] [-a <alert count>] [-w <warn count>] [-t <seconds>] [<-m> <max lines>]

check_suricataflows -h/--help

check_suricataflows -v/--version

This reads the Suricata EVE JSON flow data file.

.timestamp :: Used for double checking to make sure we don't read farther
    back than we need to.

If the following is found, the entry is checked.

.dest_ip
.src_ip
.flow.pkts_toclient
.flow.pkts_toserver

Bi-directional is when .flow.pkts_toclient and .flow.pkts_toserver are both greater than zero.

Uni-directional is when only .flow.pkts_toclient or .flow.pkts_toserver is greater than zero and the other is zero.

If all entries found are uni-directional then it is safe to assume the monitored span is misconfigured.

The flows EVE JSON location.

Default: /var/log/suricata/flows/current/flow.json

Alert if the number of bidirectional flows are less than this.

Default: 10

Warn if the number of directional flows are less than this.

Default: 20

How far back into the file to read in seconds.

Default: 300

Max number of lines to read in.

To install Check::SuricataFlows, copy and paste the appropriate command in to your terminal.

cpanm Check::SuricataFlows

perl -MCPAN -e shell
install Check::SuricataFlows

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)