lilith - Forward EVE log alerts to Postgresql as well as make it searchable.
lilith [-c <config>] -a run
lilith [-c <config>] -a class_map
lilith [-c <config>] -a create_tables
lilith [-c <config>] -a dump_self
lilith [-c <config>] -a event [-t <table>] --id <row_id> [--raw] [[--pcap <output file>] [--virani <remote>] [--buffer <buffer secodns>]]
lilith [-c <config>] -a event [-t <table>] --event <event_id> [--raw] [[--pcap <output file>] [--virani <remote>] [--buffer <buffer secodns>]
lilith [-c <config>] -a extend [-Z] [-m <minutes>]
lilith [-c <config>] -a generate_baphomet_yamls --dir <dir>
lilith [-c <config>] -a get_short_class_snmp_list
lilith [-c <config>] -a search [--output <return>] [-t <table>] [-m <minutes>] [--order <clm>] [--limit <int>] [--offset <int>] [--orderdir <dir>] [--si <src_ip>] [--di <<dst_ip>] [--ip <ip>] [--sp <<src_port>] [--dp <<dst_port>] [--port <<port>] [--host <host>] [--hostl] [--hosN] [--ih <host>] [--ihl] [--ihN] [-i <instance>] [-il] [-iN] [-c <class>] [--cl] [--cN] [-s <sig>] [--sl] [--sN] [--if <if>] [--ifl] [--ifN] [--ap <proto>] [--apl] [--apN] [--gid <gid>] [--sid <sid>] [--rev <rev>] [--subip <subip>] [--subhost <subhost>] [--slug <slug>] [--pkg <pkg>] [--malscore <malscore>] [--size <size>] [--target <target>] [--task <task>]
This script runs various actions for Lilith, including search and the daemon.
The action to perform.
- Default :: search
The config file to use.
- Default :: /usr/local/etc/lilith.toml
Table to operate on.
- Default :: suricata
Start processing the EVE logs and daemonize.
Print a table of class mapping from long name to the short name used for display in the search results.
Create the tables in the DB.
Initiate Lilith and then dump it via Data::Dumper.
Fetches a event. The table to use can be specified via -t.
Fetch event via row ID.
Fetch the event via the event ID.
Do not decode the EVE JSON.
Fetch the remote PCAP via Virani and write it to the file. Only usable for with Suricata tables.
Default :: undef
Virani setting to pass to -r.
Default :: instance name in alert
How many seconds to pad the start and end time with.
Default :: 60
Prints a LibreNMS style extend.
Enable Gzip+Base64 LibreNMS style extend compression.
How far back to search. For the extend action, 5 minutes is the default.
Generate the YAMLs for Baphomet.
The directory to write it out too.
Print a list of shorted class names for use with SNMP.
Search the DB. The table may be specified via -t.
The common option types for search are as below.
- Integer :: A comma seperated list of integers to check for. Any number prefixed with a ! will be negated. - String :: A string to check for. May be matched using like or negated via the proper options. - Complex :: A item to match. - IP :: An IP.
The output type.
- Values :: table,json - Default :: table
How far back to to in minutes.
- Default :: 1440 - Default, extend :: 5
Column to use for sorting by.
- Default :: timestamp - Cape Default :: stop
Direction to order in.
- Values :: ASC,DSC - Default :: ASC
Source IP.
- Default :: undef - Type :: IP
Destination IP.
IP, either dst or src.
- Default :: undef - Type :: complex IP
Source port.
- Default :: undef - Type :: integer
Destination port.
Port, either dst or src.
- Default :: undef - Type :: complex integer
Sagan :: Host is the sending system and instance host is the host the instance is running on. Suricata :: Host is the system the instance is running on. There is no instance host.
Host.
- Default :: undef - Type :: string
Use like for matching host.
Invert host matching.
Instance host.
Use like for matching instance host.
- Default :: undef
Invert instance host matching.
Instance.
Use like for matching instance.
Invert instance matching.
Classification.
Use like for matching classification.
Invert class matching.
Signature.
Use like for matching signature.
Invert signature matching.
Interface.
Use like for matching interface.
Invert interface matching.
App proto.
Use like for matching app proto.
Invert app proto matching.
GID.
SID.
Rev.
The slug it was submitted with.
The detopnation package used with CAPEv2.
The malscore of the sample.
The size of the sample.
The the detonation target.
The task ID of the run.
The IP the sample was submitted from.
The host the sample was submitted from.
The Text::ANSITable table color to use.
- Default :: Text::ANSITable::Standard::NoGradation
The Text::ANSITable border type to use.
- Default :: ASCII::None
Perl boolean for if IPs should be colored or not.
- Default :: 1
ANSI color to use for private IPs.
- Default :: bright_green
ANSI color to use for remote IPs.
- Default :: bright_yellow
ANSI color to use for local IPs.
- Default :: bright_red
Perl boolean for if microseconds should be dropped or not.
If the lilith instance colomn info should be colored.
Color for the instance name.
- Default :: bright_blue
Color for the insance slug.
- Default :: bright_magenta
Color for the insance loc.
- Default :: bright_cyan.
The default config file is `/usr/local/etc/lilith.toml`.
- dsn :: A DSN connection string to be used by DBI - pass :: Password to use for the connection. - user :: User to use for the connetion. - class_ignore :: Array of classes to ignore.
Sub hashes are then treated as a instance. The following values are available for that.
- eve :: The EVE file to follow. - type :: `sagan` or `suricata`, depending on which it is. - instance :: The name for the instance. If not specified the hash name is used.
Example...
dsn="dbi:Pg:dbname=lilith;host=192.168.1.2" pass="WhateverYouSetAsApassword" user="lilith" # a handy one to ignore for the extend as it is spammy class_ignore=["Generic Protocol Command Decode"] # add a suricata instance to monitor [suricata-eve] instance="foo-pie" type="suricata" eve="/var/log/suricata/alert.json" # add a second suricata instance to monitor [another-eve] instance="foo2-pie" type="suricata" eve="/var/log/suricata/alert2.json" # add a sagan eve to monitor # instance name is 'foo-lae', given there is no value for instance [foo-lae] type="sagan" eve="/var/log/sagan/alert.json"
To install Lilith, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Lilith
CPAN shell
perl -MCPAN -e shell install Lilith
For more information on module installation, please visit the detailed CPAN module installation guide.