Lilith

Lilith reads in EVE files from Suricata and Sagan into PostgreSQL.

From there that data can then be searched and information on specific events fetched.

Intalation

Debian

apt-get install zlib1g-dev cpanminus libdbi-perl libdbix-class-perl \
 libdata-dumper-perl libdigest-sha-perl libfile-slurp-perl libjson-perl \
 libnet-server-perl libpoe-perl libtoml-perl
cpanm Lilith

FreeBSD

pkg install p5-App-cpanminus p5-DBI p5-DBIx-Class p5-DBD-Pg \
 p5-Data-Dumper p5-Digest-SHA p5-File-Slurp p5-JSON p5-MIME-Base64 \
 p5-Net-Server p5-POE p5-Sys-Syslog p5-Term-ANSIColor \
 p5-Text-ANSITable p5-Time-Piece p5-TOML
cpanm Lilith

Source

perl Makefile.PL
make
make test
make install

Setup

First you need to setup your PostgreSQL server.

createuser -D -l -P -R -S lilith
createdb -E UTF8 -O lilith lilith

Setup /usr/local/etc/lilith.toml

dsn="dbi:Pg:dbname=lilith;host=192.168.1.2"
pass="WhateverYouSetAsApassword"
user="lilith"
# a handy one to ignore for the extend as it is spammy
class_ignore=["Generic Protocol Command Decode"]

# add a suricata instance to monitor
[suricata-eve]
instance="foo-pie"
type="suricata"
eve="/var/log/suricata/alert.json"

# add a second suricata instance to monitor
[another-eve]
instance="foo2-pie"
type="suricata"
eve="/var/log/suricata/alert2.json"

# add a sagan eve to monitor
# instance name is 'foo-lae', given there is no value for instance
[foo-lae]
type="sagan"
eve="/var/log/sagan/alert.json"

Now we just need to setup the tables.

lilith -a create_tables

If using snmpd.

extend lilith /usr/local/bin/lilith -a extend

Config File

The default config file is /usr/local/etc/lilith.toml.

| Variable | Description | |--------------|------------------------------------------------------------------------------------------------------------------------| | dsn | A DSN connection string to be used by [DBI][https://metacpan.org/pod/DBI]. [DBD::Pg][https://metacpan.org/pod/DBD::Pg] | | pass | Password to use for the connection. | | user | User to use for the connetion. | | class_ignore | Array of classes to ignore. |

Sub hashes are then treated as a instance. The following values are available for that.

| Variable | Required | Description | |----------|----------|--------------------------------------------------------------------| | eve | yes | The EVE file to follow. | | type | yes | sagan or suricata, depending on which it is. | | instance | no | The name for the instance. If not specified the hash name is used. |

Options

SYNOPSIS

lilith [B<-c> <config>] B<-a> run

lilith [B<-c> <config>] B<-a> class_map

lilith [B<-c> <config>] B<-a> create_tables

lilith [B<-c> <config>] B<-a> dump_self

lilith [B<-c> <config>] B<-a> event [B<-t> <table>] B<--id> <row_id> [B<--raw>]
[[B<--pcap> <output file>] [B<--virani> <remote>] [B<--buffer> <buffer secodns>]]

lilith [B<-c> <config>] B<-a> event [B<-t> <table>] B<--event> <event_id> [B<--raw>]
[[B<--pcap> <output file>] [B<--virani> <remote>] [B<--buffer> <buffer secodns>]

lilith [B<-c> <config>] B<-a> extend [B<-Z>] [B<-m> <minutes>]

lilith [B<-c> <config>] B<-a> get_short_class_snmp_list

lilith [B<-c> <config>] B<-a> search [B<--output> <return>] [B<-t> <table>]
[B<-m> <minutes>] [B<--order> <clm>] [B<--limit> <int>] [B<--offset> <int>]
[B<--orderdir> <dir>] [B<--si> <src_ip>] [B<--di> <<dst_ip>] [B<--ip> <ip>]
[B<--sp> <<src_port>] [B<--dp> <<dst_port>] [B<--port> <<port>] [B<--host> <host>]
[B<--ih> <host>] [B<-i> <instance>] [B<-c> <class>] [B<-s> <sig>] [B<--if> <if>]
[B<--ap> <proto>] [B<--gid> <gid>] [B<--sid> <sid>] [B<--rev> <rev>]
[B<--subip> <subip>] [B<--subhost> <subhost>] [B<--slug> <slug>] [B<--pkg> <pkg>]
[B<--malscore> <malscore>] [B<--size> <size>] [B<--target> <target>]
[B<--task> <task>]

GENERAL SWITCHES

-a action

The action to perform.

- Default :: search

-c config

The config file to use.

- Default :: /usr/local/etc/lilith.toml

-t table

Table to operate on.

- Default :: suricata

=head1 ACTIONS

run

Start processing the EVE logs and daemonize.

class_map

Print a table of class mapping from long name to the short name used for display in the search results.

create_tables

Create the tables in the DB.

dump_self

Initiate Lilith and then dump it via Data::Dumper.

event

Fetches a event. The table to use can be specified via -t.

--id row_id

Fetch event via row ID.

--event event_id

Fetch the event via the event ID.

--raw

Do not decode the EVE JSON.

--pcap file

Fetch the remote PCAP via Virani and write it to the file. Only usable for with Suricata tables.

Default :: undef

--virani conf

Virani setting to pass to -r.

Default :: instance name in alert

--buffer secs

How many seconds to pad the start and end time with.

Default :: 60

extend

Prints a LibreNMS style extend.

-Z

Enable Gzip+Base64 LibreNMS style extend compression.

-m minutes

How far back to search. For the extend action, 5 minutes is the default.

-d dir

The directory to write it out too.

get_short_class_snmp_list

Print a list of shorted class names for use with SNMP.

search

Search the DB. The table may be specified via -t.

The common option types for search are as below.

- Integer :: A comma seperated list of integers to check for. Any number
             prefixed with a ! will be negated.
- String :: A string to check for. May be matched using like or negated via
            the proper options.
- Complex :: A item to match.
- IP :: An IP.

General Search Options

--output return

The output type.

- Values :: table,json
- Default :: table

-m minute

How far back to to in minutes.

- Default :: 1440

- Default, extend :: 5

--order column

Column to use for sorting by.

- Default :: timestamp

- Cape Default :: stop

--orderdir direction

Direction to order in.

- Values :: ASC,DSC
- Default :: ASC

IP Options

--si src IP

Source IP.

- Default :: undef
- Type :: IP

--di dst IP

Destination IP.

- Default :: undef
- Type :: IP

--ip IP

IP, either dst or src.

- Default :: undef
- Type :: complex IP

Port Options

--sp src port

Source port.

- Default :: undef
- Type :: integer

--dp dst port

Destination port.

- Default :: undef
- Type :: integer

-p port

Port, either dst or src.

- Default :: undef
- Type :: complex integer

Host Options

Sagan :: Host is the sending system and instance host is the host the
         instance is running on.

Suricata :: Host is the system the instance is running on. There is no
            instance host.

--host host

Host.

- Default :: undef
- Type :: string

Instance Options

--ih host

Instance host.

- Default :: undef
- Type :: string

Instance Options

-i instance

Instance.

- Default :: undef
- Type :: string

Class Options

-c class

Classification.

- Default :: undef
- Type :: string

Signature Options

-s sig

Signature.

- Default :: undef
- Type :: string

In Interface Options

--if if

Interface.

- Default :: undef
- Type :: string

App Proto Options

--ap proto

App proto.

- Default :: undef
- Type :: string

Rule Options

--gid gid

GID.

- Default :: undef
- Type :: integer

--sid sid

SID.

- Default :: undef
- Type :: integer

--rev rev

Rev.

- Default :: undef
- Type :: integer

CAPEv2 Options

--slug slug

The slug it was submitted with.

- Default :: undef
- Type :: string

--pkg pkg

The detopnation package used with CAPEv2.

- Default :: undef
- Type :: string

--malscore malscore

The malscore of the sample.

- Default :: undef
- Type :: integer

--size size

The size of the sample.

- Default :: undef
- Type :: integer

--target target

The the detonation target.

- Default :: undef
- Type :: string

--task task

The task ID of the run.

- Default :: undef
- Type :: integer

--subip subip

The IP the sample was submitted from.

- Default :: undef
- Type :: IP

--subhost subhost

The host the sample was submitted from.

- Default :: undef
- Type :: string

ENVIROMENTAL VARIABLES

Lilith_table_color

The LText::ANSITable table color to use.

- Default :: Text::ANSITable::Standard::NoGradation

Lilith_table_border

The LText::ANSITable border type to use.

- Default :: ASCII::None

Lilith_IP_color

Perl boolean for if IPs should be colored or not.

- Default :: 1

Lilith_IP_private_color

ANSI color to use for private IPs.

- Default :: bright_green

Lilith_IP_remote_color

ANSI color to use for remote IPs.

- Default :: bright_yellow

Lilith_IP_local_color

ANSI color to use for local IPs.

- Default :: bright_red

Lilith_timesamp_drop_micro

Perl boolean for if microseconds should be dropped or not.

- Default :: 1

Lilith_instance_color

If the lilith instance colomn info should be colored.

- Default :: 1

Lilith_instance_type_color

Color for the instance name.

- Default :: bright_blue

Lilith_instance_slug_color

Color for the insance slug.

- Default :: bright_magenta

Lilith_instance_loc_color

Color for the insance loc.

- Default :: bright_cyan.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)