DEV Community

Cover image for Ping! Pop! Pow! Real-Time Security with Suricata, StackStorm & Slack.
Crispin
Crispin

Posted on

Ping! Pop! Pow! Real-Time Security with Suricata, StackStorm & Slack.

Hey dev.to community!

I was recently learning a few SecOps topics and was trying things out with the tool StackStorm (it's basically a ITTT tool for devops) that helps in event-driven automation. So then I thought of why not combine it with the good old Suricata tool and hence this blog... ;)


TL;DR: What We’re Building

We’ll wire up Suricata (our network IDS) to StackStorm (our event-driven automation engine), so that whenever Suricata spots suspicious traffic, StackStorm picks it up and shoots an alert into Slack. No more manually tailing logs, your chat app becomes your security ops dashboard!


So enough talking and let's start doing!

Why is this cool?

Coz I find it. 😂 jk. Yeah even I had this question earlier but later after gpting and trying things out, this seemed way cooler just like a security admin or smth lol.

Imo, these are a few =>

  • Real-time Security: Get notified instantly when something weird pops up on your network.
  • Hands-On Automation: Learn how sensors, rules, and actions fit together in StackStorm.
  • Slack Integration: Everyone loves Slack(Teams ;)) and it’s a familiar place to see alerts.
  • Super Simple: We’ll use out-of-the-box components and minimal code so even newbies can follow along.

What I'll be using for this setup

  1. A Linux VM - Ubuntu (not a hecker, sadly🤧🐉).
  2. Docker (optional, but makes life easier).
  3. Suricata installed and running in IDS mode.
  4. StackStorm installed.
  5. A Slack workspace and a Slack “Incoming Webhook” URL.

First, we get Suricata logging alerts

  1. Install Suricata
   sudo apt update
   sudo apt install suricata
Enter fullscreen mode Exit fullscreen mode
  1. Enable EVE JSON output in /etc/suricata/suricata.yaml:
outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: /var/log/suricata/eve.json
Enter fullscreen mode Exit fullscreen mode
  1. Restart Suricata and generate some test alerts:
sudo systemctl restart suricata
sudo suricata-update
# Then run a nmap or scapy script to trigger IDS rules
Enter fullscreen mode Exit fullscreen mode

Then, we spin up StackStorm

For this blog I'll use Docker, but you can even run it natively as you prefer.

docker run --name st2 \
  -d \
  -v /var/log/suricata:/var/log/suricata \
  -p 9100:9100 \
  -p 9101:9101 \
  stackstorm/stackstorm:3.5
Enter fullscreen mode Exit fullscreen mode

Now verify if StackStorm’s running,

st2 status
st2 action list
Enter fullscreen mode Exit fullscreen mode

The core event logic,

We'll create a Suricata sensor in StackStorm.

StackStorm “sensors” watch for external events. We’ll write a tiny Python sensor that tailed /var/log/suricata/eve.json and emits each alert as a StackStorm trigger.

Create a new sensor file, /opt/stackstorm/packs/suricata/sensors/suricata_sensor.py

from st2reactor.sensor.base import Sensor
import json, time

class SuricataSensor(Sensor):
    def __init__(self, sensor_service, config):
        super(SuricataSensor, self).__init__(sensor_service=sensor_service, config=config)
        self._filename = '/var/log/suricata/eve.json'

    def run(self):
        with open(self._filename) as f:
            # seek to end for only new events
            f.seek(0,2)
            while True:
                line = f.readline().strip()
                if not line:
                    time.sleep(1)
                    continue
                data = json.loads(line)
                if data.get('event_type') == 'alert':
                    self._sensor_service.dispatch(trigger='suricata.alert', payload=data)

    def cleanup(self):
        pass
Enter fullscreen mode Exit fullscreen mode

Now, register the sensor by updating packs/suricata/sensor.yaml

name: SuricataSensor
description: "Watches Suricata eve.json for alerts"
entry_point: sensors/suricata_sensor.py
trigger_types:
  - name: suricata.alert
    description: "Triggered on Suricata IDS alert"
Enter fullscreen mode Exit fullscreen mode

Then, reload StackStorm so it picks up your new pack.

st2ctl reload --register-all
Enter fullscreen mode Exit fullscreen mode

Now, define a rule to catch the trigger (final)

StackStorm “rules” link triggers to actions. We’ll catch suricata.alert and then call a Slack action.

Rule file: /opt/stackstorm/packs/suricata/rules/slack_alert.yaml

name: send_suricata_alert_to_slack
description: Send Suricata alert details to Slack
trigger:
  type: suricata.alert
action:
  ref: slack.post_message
  parameters:
    channel: "#alerts"
    text: |
      :rotating_light: *Suricata Alert!* :rotating_light:
      *Signature:* {{ trigger.payload.alert.signature }}
      *Severity:* {{ trigger.payload.alert.severity }}
      *Source:* {{ trigger.payload.src_ip }}:{{ trigger.payload.src_port }}
      *Destination:* {{ trigger.payload.dest_ip }}:{{ trigger.payload.dest_port }}
Enter fullscreen mode Exit fullscreen mode

Then, you have to configure the Slack credentials in ~/.st2/configs/slack.yaml

slack:
  url: "https://hooks.slack.com/services/hee/hee/hee"
Enter fullscreen mode Exit fullscreen mode

And for one last time, reload.


I know you're like this 😂, but we have to.

st2ctl reload --register-all
Enter fullscreen mode Exit fullscreen mode

It's time to test!

Generate a known alert (e.g. run nmap -sS against your box).

Watch your StackStorm logs (/var/log/st2/st2sensorcontainer.log) to see the trigger fire.

Check your Slack channel—you should get a nicely formatted alert message within seconds!

Heehee...we’ve now built a simple, end-to-end event-driven security workflow!

😂See ya!

P.S. We can even add filtering(only alert on high-severity events), automated responses(trigger a firewall block or a cloud security group update) and dashboards with push alerts into Elasticsearch and visualize with Kibana and what not lol! Do follow for more blogs in the future.

Top comments (0)