lilith - Forward EVE log alerts to Postgresql as well as make it searchable.
lilith [-c <config>] -a run
lilith [-c <config>] -a class_map
lilith [-c <config>] -a create_tables
lilith [-c <config>] -a dump_self
lilith [-c <config>] -a event [-t <table>] --id <row_id> [--raw]
lilith [-c <config>] -a event [-t <table>] --event <event_id> [--raw]
lilith [-c <config>] -a extend [-Z] [-m <minutes>]
lilith [-c <config>] -a generate_baphomet_yamls --dir <dir>
lilith [-c <config>] -a get_short_class_snmp_list
lilith [-c <config>] -a search [--output <return>] [-t <table>] [-m <minutes>] [--order <clm>] [--limit <int>] [--offset <int>] [--orderdir <dir>] [--si <src_ip>] [--di <<dst_ip>] [--ip <ip>] [--sp <<src_port>] [--dp <<dst_port>] [--port <<port>] [--host <host>] [--hostl] [--hosN] [--ih <host>] [--ihl] [--ihN] [-i <instance>] [-il] [-iN] [-c <class>] [--cl] [--cN] [-s <sig>] [--sl] [--sN] [--if <if>] [--ifl] [--ifN] [--ap <proto>] [--apl] [--apN] [--gid <gid>] [--sid <sid>] [--rev <rev>]
This script runs various actions for Lilith, including search and the daemon.
The action to perform.
- Default :: search
The config file to use.
- Default :: /usr/local/etc/lilith.toml
Table to operate on.
- Default :: suricata
Start processing the EVE logs and daemonize.
Print a table of class mapping from long name to the short name used for display in the search results.
Create the tables in the DB.
Initiate Lilith and then dump it via Data::Dumper.
Fetches a event. The table to use can be specified via -t.
Fetch event via row ID.
Fetch the event via the event ID.
Prints a LibreNMS style extend.
Enable Gzip+Base64 LibreNMS style extend compression.
How far back to search. For the extend action, 5 minutes is the default.
Generate the YAMLs for Baphomet.
The directory to write it out too.
Print a list of shorted class names for use wit SNMP.
Search the DB. The table may be specified via -t.
The common option types for search are as below.
- Integer :: A comma seperated list of integers to check for. Any number prefixed with a ! will be negated. - String :: A string to check for. May be matched using like or negated via the proper options. - Complex :: A item to match.
The output type.
- Values :: table,json - Default :: table
How far back to to in minutes.
- Default :: 1440 - Default, extend :: 5
Column to use for sorting by.
- Default :: timestamp
Direction to order in.
- Values :: ASC,DSC - Default :: ASC
Source IP.
- Default :: undef - Type :: string
Destination IP.
IP, either dst or src.
- Default :: undef - Type :: complex
Source port.
- Default :: undef - Type :: integer
Destination port.
Port, either dst or src.
Sagan :: Host is the sending system and instance host is the host the instance is running on. Suricata :: Host is the system the instance is running on. There is no instance host.
Host.
Use like for matching host.
- Default :: undef
Invert host matching.
Instance host.
Use like for matching instance host.
Invert instance host matching.
Instance.
Use like for matching instance.
Invert instance matching.
Classification.
Use like for matching classification.
Invert class matching.
Signature.
Use like for matching signature.
Invert signature matching.
Interface.
Use like for matching interface.
Invert interface matching.
App proto.
Use like for matching app proto.
Invert app proto matching.
GID.
SID.
Rev.
The Text::ANSITable table color to use.
- Default :: Text::ANSITable::Standard::NoGradation
The Text::ANSITable border type to use.
- Default :: ASCII::None
Perl boolean for if IPs should be colored or not.
- Default :: 1
ANSI color to use for private IPs.
- Default :: bright_green
ANSI color to use for remote IPs.
- Default :: bright_yellow
ANSI color to use for local IPs.
- Default :: bright_red
Perl boolean for if microseconds should be dropped or not.
If the lilith instance colomn info should be colored.
Color for the instance name.
- Default :: bright_blue
Color for the insance slug.
- Default :: bright_magenta
Color for the insance loc.
- Default :: bright_cyan.
To install Lilith, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Lilith
CPAN shell
perl -MCPAN -e shell install Lilith
For more information on module installation, please visit the detailed CPAN module installation guide.