Zabbix support for suricata-reporter

[Robin Roevens <robin.roevens@disroot.org>]

Hi Michael

I saw there is a suricata-reporter in the upcoming CU. And I was
wondering if I could add an additional reporter into it for sending
alerts straight to Zabbix, next to syslog and email.
I have already been experimenting with parsing fast.log using the
zabbix_agentd, which seems to work quite well. But since there is now a
reporter, it would be nice to have it support sending alerts to zabbix
directly instead of zabbix separately monitoring the fast.log file.

If that would be ok for you. There are 2 possible ways to do this:
- using the zabbix_utils python library:
https://blog.zabbix.com/python-zabbix-utils/27056/
- or using the zabbix_sender command utility that currently gets
installed when installing zabbix_agentd

I assume, using the python library will probably be the most performant
option; But then I should also create a zabbix_utils python library
pak-file?

Both the python module and the commandline cli have the possibility to
get zabbix server connection info from the zabbix_agentd configfile so
config of the reporter would be something like:
[zabbix]
enabled = true
zabbix_agentd_config = /etc/zabbix_agentd/zabbix_agentd.conf
alert_item_key = ipfire.suricata.event.get

Then the reporter can format the incoming suricata alert/event as json
and send it to the configured alert_item_key on the zabbix server as
configured in the zabbix_agentd.conf

Is this something you are open to? Then I can try to create a patch for
suricata-reporter. (where should I then submit it? Also on this list?)

If not I will have to continue working on the fast.log parsing.

And while on the topic of monitoring suricata; I would like to get some
extra stats from it, which, for as far as I currently know, can be
retrieved using the suricata unix-socket that is currently disabled by
default on ipfire. Many seem to use a 'suricatasc' tool to query
suricata using that socket, but that tool is not available on ipfire.
Is it possible to have it on ipfire?, or should I start experimenting
using socat? 
And if succesful, is it then allowed for a future zabbix_agentd addon
pak to enable that socket in the suricata config?
If you dislike the idea of enabling and querying the socket, another
possibility is having suricata dump stats in a seperate stats.log which
I should then be able to parse using Zabbix.

Before I start any implementations, what are your thoughts about all
this ?

Regards
Robin

-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.