chiefgeek/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync all scripts from website downloads — 352 scripts total

Browse Source 
Includes updated JS challenge scripts with Claude-User whitelist,
same-site referer bypass, Blackbox-Exporter allowed bot, and all
new exporters, cheat sheets, and automation scripts.
This commit is contained in:
Phil Connor
2026-05-25 03:31:08 +02:00
parent dbd6bf0324
commit a1a17e81a1
332 changed files with 174509 additions and 1106 deletions
Download Patch File Download Diff File Expand all files Collapse all files
suricata-exporter.sh
+474
View File
@@ -0,0 +1,474 @@
#!/bin/bash
################################################################################
# Script Name: suricata-exporter.sh
# Version: 1.0
# Description: Prometheus exporter for Suricata IDS/IPS — alert counts by
# severity, top signatures, protocol breakdown, flow stats,
# drop counts, decoder errors, and eve.json processing metrics
#
# Author: Phil Connor
# Contact: contact@mylinux.work
# Website: https://mylinux.work
# License: MIT
#
# Prerequisites:
# - Suricata installed and running
# - jq for JSON parsing
# - Access to eve.json log and suricata.socket
# - Root/sudo access
#
# Usage:
# # Output to stdout
# sudo ./suricata-exporter.sh
#
# # HTTP server mode
# sudo ./suricata-exporter.sh --http -p 9196
#
# # Textfile collector mode
# sudo ./suricata-exporter.sh --textfile
#
# Metrics Exported:
# - suricata_up - Exporter status (1=up, 0=down)
# - suricata_exporter_info{version} - Exporter version info
# - suricata_alerts_total - Total alerts from eve.json
# - suricata_alerts_by_severity{severity} - Alerts by severity level
# - suricata_alerts_by_category{category} - Alerts by classification
# - suricata_top_signature_alerts{signature,sid} - Top triggered signatures
# - suricata_flows_total - Total tracked flows
# - suricata_flows_by_protocol{protocol} - Flows by protocol
# - suricata_packets_total - Total packets processed
# - suricata_bytes_total - Total bytes processed
# - suricata_drops_total - Total dropped packets (IPS mode)
# - suricata_decoder_errors_total - Decoder error count
# - suricata_detect_alerts_total - Detection engine alert count
# - suricata_uptime_seconds - Suricata process uptime
# - suricata_memory_bytes - Suricata memory usage
# - suricata_rules_loaded - Number of loaded rules
# - suricata_rules_failed - Number of rules that failed to load
# - suricata_capture_kernel_drops - Kernel-level packet drops
# - suricata_exporter_duration_seconds - Script execution time
# - suricata_exporter_last_run_timestamp - Last run timestamp
#
# Configuration:
# Default HTTP port: 9196
# Textfile directory: /var/lib/node_exporter
# Eve log: /var/log/suricata/eve.json
#
################################################################################
# ============================================================================
# CONFIGURATION VARIABLES
# ============================================================================
TEXTFILE_DIR="/var/lib/node_exporter"
OUTPUT_FILE=""
HTTP_MODE=false
HTTP_PORT=9196
EVE_LOG="/var/log/suricata/eve.json"
SURICATA_SOCKET="/var/run/suricata/suricata-command.socket"
LOOKBACK_LINES=50000
EXPORTER_VERSION="1.0"
# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
show_usage() {
cat <<EOF
Usage: $0 [OPTIONS]
Export Suricata IDS/IPS statistics as Prometheus metrics.
MODES:
--textfile Write to node_exporter textfile collector
--http Run HTTP server on port $HTTP_PORT
OPTIONS:
-p, --port HTTP port (default: $HTTP_PORT)
-o, --output Output file path
--eve PATH Path to eve.json (default: $EVE_LOG)
--lines N Number of eve.json lines to parse (default: $LOOKBACK_LINES)
EXAMPLES:
sudo $0 --textfile
sudo $0 --http --port 9196
sudo $0 --eve /var/log/suricata/eve.json
sudo $0 -o /tmp/suricata.prom
EOF
exit 0
}
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help) show_usage ;;
--textfile) OUTPUT_FILE="$TEXTFILE_DIR/suricata.prom"; shift ;;
--http) HTTP_MODE=true; shift ;;
-p|--port) HTTP_PORT="$2"; shift 2 ;;
-o|--output) OUTPUT_FILE="$2"; shift 2 ;;
--eve) EVE_LOG="$2"; shift 2 ;;
--lines) LOOKBACK_LINES="$2"; shift 2 ;;
*) echo "Unknown option: $1" >&2; exit 1 ;;
esac
done
}
prom_escape() {
local val="$1"
val="${val//\\/\\\\}"
val="${val//\"/\\\"}"
val="${val//$'\n'/}"
echo "$val"
}
check_suricata() {
if ! pgrep -x suricata >/dev/null 2>&1; then
return 1
fi
return 0
}
# ============================================================================
# DATA COLLECTION
# ============================================================================
get_suricata_stats() {
if [ -S "$SURICATA_SOCKET" ]; then
echo "dump-counters" | suricatasc "$SURICATA_SOCKET" 2>/dev/null
fi
}
get_eve_alerts() {
if [ -f "$EVE_LOG" ]; then
tail -n "$LOOKBACK_LINES" "$EVE_LOG" | jq -c 'select(.event_type == "alert")' 2>/dev/null
fi
}
get_eve_stats() {
if [ -f "$EVE_LOG" ]; then
tail -n "$LOOKBACK_LINES" "$EVE_LOG" | jq -c 'select(.event_type == "stats")' 2>/dev/null | tail -1
fi
}
get_suricata_pid() {
pgrep -x suricata | head -1
}
# ============================================================================
# METRIC GENERATION
# ============================================================================
generate_metrics() {
local script_start
script_start=$(date +%s%N 2>/dev/null || date +%s)
if ! check_suricata; then
cat <<EOF
# HELP suricata_up Suricata exporter status
# TYPE suricata_up gauge
suricata_up 0
EOF
return
fi
cat <<EOF
# HELP suricata_up Suricata exporter status
# TYPE suricata_up gauge
suricata_up 1
# HELP suricata_exporter_info Exporter version information
# TYPE suricata_exporter_info gauge
suricata_exporter_info{version="$EXPORTER_VERSION"} 1
EOF
echo ""
# ========================================================================
# PROCESS METRICS
# ========================================================================
local pid
pid=$(get_suricata_pid)
if [ -n "$pid" ]; then
local uptime_seconds=0
local memory_bytes=0
if [ -f "/proc/$pid/stat" ]; then
local starttime btime clk_tck now_seconds
starttime=$(awk '{print $22}' "/proc/$pid/stat" 2>/dev/null)
btime=$(awk '/^btime/ {print $2}' /proc/stat 2>/dev/null)
clk_tck=$(getconf CLK_TCK 2>/dev/null || echo 100)
now_seconds=$(date +%s)
if [ -n "$starttime" ] && [ -n "$btime" ]; then
local start_seconds=$((btime + starttime / clk_tck))
uptime_seconds=$((now_seconds - start_seconds))
fi
fi
if [ -f "/proc/$pid/status" ]; then
memory_bytes=$(awk '/^VmRSS:/ {print $2 * 1024}' "/proc/$pid/status" 2>/dev/null)
memory_bytes=${memory_bytes:-0}
fi
cat <<EOF
# HELP suricata_uptime_seconds Suricata process uptime
# TYPE suricata_uptime_seconds gauge
suricata_uptime_seconds $uptime_seconds
# HELP suricata_memory_bytes Suricata RSS memory usage
# TYPE suricata_memory_bytes gauge
suricata_memory_bytes $memory_bytes
EOF
fi
echo ""
# ========================================================================
# STATS FROM EVE.JSON
# ========================================================================
local stats_json
stats_json=$(get_eve_stats)
if [ -n "$stats_json" ]; then
local capture_packets capture_bytes capture_drops
local decoder_errors detect_alerts
local rules_loaded rules_failed
capture_packets=$(echo "$stats_json" | jq '.stats.capture.kernel_packets // 0' 2>/dev/null)
capture_bytes=$(echo "$stats_json" | jq '.stats.decoder.bytes // 0' 2>/dev/null)
capture_drops=$(echo "$stats_json" | jq '.stats.capture.kernel_drops // 0' 2>/dev/null)
decoder_errors=$(echo "$stats_json" | jq '.stats.decoder.invalid // 0' 2>/dev/null)
detect_alerts=$(echo "$stats_json" | jq '.stats.detect.alert // 0' 2>/dev/null)
cat <<EOF
# HELP suricata_packets_total Total packets processed
# TYPE suricata_packets_total counter
suricata_packets_total ${capture_packets:-0}
# HELP suricata_bytes_total Total bytes processed
# TYPE suricata_bytes_total counter
suricata_bytes_total ${capture_bytes:-0}
# HELP suricata_drops_total Total dropped packets
# TYPE suricata_drops_total counter
suricata_drops_total ${capture_drops:-0}
# HELP suricata_capture_kernel_drops Kernel-level packet drops
# TYPE suricata_capture_kernel_drops counter
suricata_capture_kernel_drops ${capture_drops:-0}
# HELP suricata_decoder_errors_total Decoder errors
# TYPE suricata_decoder_errors_total counter
suricata_decoder_errors_total ${decoder_errors:-0}
# HELP suricata_detect_alerts_total Detection engine alerts
# TYPE suricata_detect_alerts_total counter
suricata_detect_alerts_total ${detect_alerts:-0}
EOF
echo ""
# Flow stats by protocol
local tcp_flows udp_flows icmp_flows
tcp_flows=$(echo "$stats_json" | jq '.stats.flow.tcp // 0' 2>/dev/null)
udp_flows=$(echo "$stats_json" | jq '.stats.flow.udp // 0' 2>/dev/null)
icmp_flows=$(echo "$stats_json" | jq '.stats.flow.icmp // 0' 2>/dev/null)
local total_flows=$(( ${tcp_flows:-0} + ${udp_flows:-0} + ${icmp_flows:-0} ))
cat <<EOF
# HELP suricata_flows_total Total tracked flows
# TYPE suricata_flows_total counter
suricata_flows_total $total_flows
# HELP suricata_flows_by_protocol Flows by protocol
# TYPE suricata_flows_by_protocol counter
suricata_flows_by_protocol{protocol="tcp"} ${tcp_flows:-0}
suricata_flows_by_protocol{protocol="udp"} ${udp_flows:-0}
suricata_flows_by_protocol{protocol="icmp"} ${icmp_flows:-0}
EOF
echo ""
# Rules loaded
rules_loaded=$(echo "$stats_json" | jq '.stats.detect.engines[0].rules_loaded // 0' 2>/dev/null)
rules_failed=$(echo "$stats_json" | jq '.stats.detect.engines[0].rules_failed // 0' 2>/dev/null)
cat <<EOF
# HELP suricata_rules_loaded Number of loaded rules
# TYPE suricata_rules_loaded gauge
suricata_rules_loaded ${rules_loaded:-0}
# HELP suricata_rules_failed Number of failed rules
# TYPE suricata_rules_failed gauge
suricata_rules_failed ${rules_failed:-0}
EOF
fi
echo ""
# ========================================================================
# ALERT METRICS FROM EVE.JSON
# ========================================================================
local alerts_data
alerts_data=$(get_eve_alerts)
local total_alerts=0
if [ -n "$alerts_data" ]; then
total_alerts=$(echo "$alerts_data" | wc -l)
fi
cat <<EOF
# HELP suricata_alerts_total Total alerts from eve.json
# TYPE suricata_alerts_total gauge
suricata_alerts_total $total_alerts
EOF
echo ""
# Alerts by severity
cat <<EOF
# HELP suricata_alerts_by_severity Alerts by severity level
# TYPE suricata_alerts_by_severity gauge
EOF
if [ "$total_alerts" -gt 0 ]; then
echo "$alerts_data" | jq -r '.alert.severity // 0' 2>/dev/null | sort | uniq -c | while read -r count severity; do
[ -z "$severity" ] && continue
echo "suricata_alerts_by_severity{severity=\"$severity\"} $count"
done
fi
echo ""
# Alerts by category
cat <<EOF
# HELP suricata_alerts_by_category Alerts by classification category
# TYPE suricata_alerts_by_category gauge
EOF
if [ "$total_alerts" -gt 0 ]; then
echo "$alerts_data" | jq -r '.alert.category // "uncategorized"' 2>/dev/null | sort | uniq -c | sort -rn | head -10 | while read -r count category; do
[ -z "$category" ] && continue
echo "suricata_alerts_by_category{category=\"$(prom_escape "$category")\"} $count"
done
fi
echo ""
# Top 10 signatures
cat <<EOF
# HELP suricata_top_signature_alerts Top triggered signatures
# TYPE suricata_top_signature_alerts gauge
EOF
if [ "$total_alerts" -gt 0 ]; then
echo "$alerts_data" | jq -r '"\(.alert.signature_id // 0)\t\(.alert.signature // "unknown")"' 2>/dev/null | sort | uniq -c | sort -rn | head -10 | while read -r count sid sig; do
[ -z "$sid" ] && continue
echo "suricata_top_signature_alerts{signature=\"$(prom_escape "$sig")\",sid=\"$sid\"} $count"
done
fi
echo ""
# ========================================================================
# EXPORTER RUNTIME
# ========================================================================
local script_end script_duration
script_end=$(date +%s)
local start_s=$((script_start / 1000000000))
[ "$start_s" -eq 0 ] && start_s=$script_start
script_duration=$((script_end - start_s))
cat <<EOF
# HELP suricata_exporter_duration_seconds Time to generate all metrics
# TYPE suricata_exporter_duration_seconds gauge
suricata_exporter_duration_seconds $script_duration
# HELP suricata_exporter_last_run_timestamp Unix timestamp of last successful run
# TYPE suricata_exporter_last_run_timestamp gauge
suricata_exporter_last_run_timestamp $script_end
EOF
}
# ============================================================================
# HTTP SERVER MODE
# ============================================================================
run_http_server() {
echo "Starting Suricata exporter on port $HTTP_PORT..." >&2
if ! command -v nc >/dev/null 2>&1; then
echo "ERROR: netcat (nc) required for HTTP mode" >&2
exit 1
fi
while true; do
{
read -r request
if [[ "$request" =~ ^GET\ /metrics ]]; then
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r"
generate_metrics
else
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r"
cat <<EOF
<!DOCTYPE html>
<html>
<head><title>Suricata Exporter v$EXPORTER_VERSION</title></head>
<body>
<h1>Suricata Prometheus Exporter v$EXPORTER_VERSION</h1>
<p><a href="/metrics">Metrics</a></p>
</body>
</html>
EOF
fi
} | nc -l -p "$HTTP_PORT" -q 1 2>/dev/null
done
}
# ============================================================================
# MAIN EXECUTION
# ============================================================================
main() {
parse_args "$@"
if [ "$HTTP_MODE" = true ]; then
run_http_server
elif [ -n "$OUTPUT_FILE" ]; then
local output_dir
output_dir="$(dirname "$OUTPUT_FILE")"
mkdir -p "$output_dir"
local temp_file
temp_file=$(mktemp "${output_dir}/.suricata_metrics.XXXXXX")
if ! generate_metrics > "$temp_file" 2>/dev/null; then
rm -f "$temp_file"
echo "ERROR: Failed to generate metrics" >&2
exit 1
fi
local file_lines
file_lines=$(wc -l < "$temp_file" 2>/dev/null || echo 0)
if [ "$file_lines" -lt 5 ]; then
rm -f "$temp_file"
echo "ERROR: Metrics file too small ($file_lines lines)" >&2
exit 1
fi
chmod 644 "$temp_file"
mv -f "$temp_file" "$OUTPUT_FILE"
echo "Metrics written to $OUTPUT_FILE ($file_lines lines)" >&2
else
generate_metrics
fi
}
main "$@"