NAME

lilith - Forward EVE log alerts to Postgresql as well as make it searchable.

SYNOPSIS

lilith [-c <config>] -a run

lilith [-c <config>] -a class_map

lilith [-c <config>] -a create_tables

lilith [-c <config>] -a dump_self

lilith [-c <config>] -a event [-t <table>] --id <row_id> [--raw] [[--pcap <output file>] [--virani <remote>] [--buffer <buffer secodns>]]

lilith [-c <config>] -a event [-t <table>] --event <event_id> [--raw] [[--pcap <output file>] [--virani <remote>] [--buffer <buffer secodns>]

lilith [-c <config>] -a extend [-Z] [-m <minutes>]

lilith [-c <config>] -a generate_baphomet_yamls --dir <dir>

lilith [-c <config>] -a get_short_class_snmp_list

lilith [-c <config>] -a search [--output <return>] [-t <table>] [-m <minutes>] [--order <clm>] [--limit <int>] [--offset <int>] [--orderdir <dir>] [--si <src_ip>] [--di <<dst_ip>] [--ip <ip>] [--sp <<src_port>] [--dp <<dst_port>] [--port <<port>] [--host <host>] [--hostl] [--hosN] [--ih <host>] [--ihl] [--ihN] [-i <instance>] [-il] [-iN] [-c <class>] [--cl] [--cN] [-s <sig>] [--sl] [--sN] [--if <if>] [--ifl] [--ifN] [--ap <proto>] [--apl] [--apN] [--gid <gid>] [--sid <sid>] [--rev <rev>] [--subip <subip>] [--subhost <subhost>] [--slug <slug>] [--pkg <pkg>] [--malscore <malscore>] [--size <size>] [--target <target>] [--task <task>]

DESCRIPTION

This script runs various actions for Lilith, including search and the daemon.

GENERAL SWITCHES

-a <action>

The action to perform.

- Default :: search

-c <config>

The config file to use.

- Default :: /usr/local/etc/lilith.toml

-t <table>

Table to operate on.

- Default :: suricata

ACTIONS

run

Start processing the EVE logs and daemonize.

class_map

Print a table of class mapping from long name to the short name used for display in the search results.

create_tables

Create the tables in the DB.

dump_self

Initiate Lilith and then dump it via Data::Dumper.

event

Fetches a event. The table to use can be specified via -t.

--id <row_id>

Fetch event via row ID.

--event <event_id>

Fetch the event via the event ID.

--raw

Do not decode the EVE JSON.

--pcap <file>

Fetch the remote PCAP via Virani and write it to the file. Only usable for with Suricata tables.

Default :: undef

--virani <conf>

Virani setting to pass to -r.

Default :: instance name in alert

--buffer <secs>

How many seconds to pad the start and end time with.

Default :: 60

extend

Prints a LibreNMS style extend.

-Z

Enable Gzip+Base64 LibreNMS style extend compression.

-m <minutes>

How far back to search. For the extend action, 5 minutes is the default.

-a generate_baphomet_yamls

Generate the YAMLs for Baphomet.

-d <dir>

The directory to write it out too.

get_short_class_snmp_list

Print a list of shorted class names for use with SNMP.

Search the DB. The table may be specified via -t.

The common option types for search are as below.

- Integer :: A comma seperated list of integers to check for. Any number
             prefixed with a ! will be negated.
- String :: A string to check for. May be matched using like or negated via
            the proper options.
- Complex :: A item to match.
- IP :: An IP.

General Search Options

--output <return>

The output type.

- Values :: table,json
- Default :: table

-m <minute>

How far back to to in minutes.

- Default :: 1440

- Default, extend :: 5

--order <column>

Column to use for sorting by.

- Default :: timestamp

- Cape Default :: stop

--orderdir <direction>

Direction to order in.

- Values :: ASC,DSC
- Default :: ASC

IP Options

--si <src IP>

Source IP.

- Default :: undef
- Type :: IP

--di <dst IP>

Destination IP.

- Default :: undef
- Type :: IP

--ip <IP>

IP, either dst or src.

- Default :: undef
- Type :: complex IP

Port Options

--sp <src port>

Source port.

- Default :: undef
- Type :: integer

--dp <dst port>

Destination port.

- Default :: undef
- Type :: integer

-p <port>

Port, either dst or src.

- Default :: undef
- Type :: complex integer

Host Options

Sagan :: Host is the sending system and instance host is the host the
         instance is running on.

Suricata :: Host is the system the instance is running on. There is no
            instance host.

--host <host>

Host.

- Default :: undef
- Type :: string

--hostl

Use like for matching host.

- Default :: undef
- Type :: string

--hostN

Invert host matching.

- Default :: undef
- Type :: string

Instance Options

--ih <host>

Instance host.

- Default :: undef
- Type :: string

--ihl

Use like for matching instance host.

- Default :: undef

--ihN

Invert instance host matching.

- Default :: undef

Instance Options

-i <instance>

Instance.

- Default :: undef
- Type :: string

--il

Use like for matching instance.

- Default :: undef
- Type :: string

--iN

Invert instance matching.

- Default :: undef
- Type :: string

Class Options

-c <class>

Classification.

- Default :: undef
- Type :: string

--cl

Use like for matching classification.

- Default :: undef
- Type :: string

--cN

Invert class matching.

- Default :: undef
- Type :: string

Signature Options

-s <sig>

Signature.

- Default :: undef
- Type :: string

--sl

Use like for matching signature.

- Default :: undef
- Type :: string

--sN

Invert signature matching.

- Default :: undef
- Type :: string

In Interface Options

--if <if>

Interface.

- Default :: undef
- Type :: string

--ifl

Use like for matching interface.

- Default :: undef

--ifN

Invert interface matching.

- Default :: undef

App Proto Options

--ap <proto>

App proto.

- Default :: undef
- Type :: string

--apl

Use like for matching app proto.

- Default :: undef

--apN

Invert app proto matching.

- Default :: undef

Rule Options

--gid <gid>

GID.

- Default :: undef
- Type :: integer

--sid <sid>

SID.

- Default :: undef
- Type :: integer

--rev <rev>

Rev.

- Default :: undef
- Type :: integer

CAPEv2 Options

--slug <slug>

The slug it was submitted with.

- Default :: undef
- Type :: string

--pkg <pkg>

The detopnation package used with CAPEv2.

- Default :: undef
- Type :: string

--malscore <malscore>

The malscore of the sample.

- Default :: undef
- Type :: integer

--size <size>

The size of the sample.

- Default :: undef
- Type :: integer

--target <target>

The the detonation target.

- Default :: undef
- Type :: string

--task <task>

The task ID of the run.

- Default :: undef
- Type :: integer

--subip <subip>

The IP the sample was submitted from.

- Default :: undef
- Type :: IP

--subhost <subhost>

The host the sample was submitted from.

- Default :: undef
- Type :: string

ENVIROMENTAL VARIABLES

Lilith_table_color

The Text::ANSITable table color to use.

- Default :: Text::ANSITable::Standard::NoGradation

Lilith_table_border

The Text::ANSITable border type to use.

- Default :: ASCII::None

Lilith_IP_color

Perl boolean for if IPs should be colored or not.

- Default :: 1

Lilith_IP_private_color

ANSI color to use for private IPs.

- Default :: bright_green

Lilith_IP_remote_color

ANSI color to use for remote IPs.

- Default :: bright_yellow

Lilith_IP_local_color

ANSI color to use for local IPs.

- Default :: bright_red

Lilith_timesamp_drop_micro

Perl boolean for if microseconds should be dropped or not.

- Default :: 1

Lilith_instance_color

If the lilith instance colomn info should be colored.

- Default :: 1

Lilith_instance_type_color

Color for the instance name.

- Default :: bright_blue

Lilith_instance_slug_color

Color for the insance slug.

- Default :: bright_magenta

Lilith_instance_loc_color

Color for the insance loc.

- Default :: bright_cyan.

CONFIG FILE

The default config file is `/usr/local/etc/lilith.toml`.

- dsn ::  A DSN connection string to be used by DBI

- pass :: Password to use for the connection.

- user :: User to use for the connetion.

- class_ignore :: Array of classes to ignore.

Sub hashes are then treated as a instance. The following values are available for that.

- eve :: The EVE file to follow.

- type :: `sagan` or `suricata`, depending on which it is.

- instance :: The name for the instance. If not specified the hash name is used.

Example...

dsn="dbi:Pg:dbname=lilith;host=192.168.1.2"
pass="WhateverYouSetAsApassword"
user="lilith"
# a handy one to ignore for the extend as it is spammy
class_ignore=["Generic Protocol Command Decode"]

# add a suricata instance to monitor
[suricata-eve]
instance="foo-pie"
type="suricata"
eve="/var/log/suricata/alert.json"

# add a second suricata instance to monitor
[another-eve]
instance="foo2-pie"
type="suricata"
eve="/var/log/suricata/alert2.json"

# add a sagan eve to monitor
# instance name is 'foo-lae', given there is no value for instance
[foo-lae]
type="sagan"
eve="/var/log/sagan/alert.json"