Read Suricata eve.json from /var/log/suricata/ or check with suricata. Aggregate alerts by severity (1-4), top source IPs, top signatures. Chinese incident b...
---
description: "Read Suricata eve.json from /var/log/suricata/ or check with suricata. Aggregate alerts by severity (1-4), top source IPs, top signatures. Chinese incident briefing."
version: "1.0.0"
metadata:
bins: [suricata, jq, zgrep]
emoji: "๐จ"
homepage: "https://kingai.work/"
category: "security"
tags: [suricata, ids, ips, intrusion-detection, network-security, alerts]
---
# ๐จ Suricata Alert Report โ IDS/IPS Alert Analysis / Suricata ๅ่ญฆๅๆๆฅๅ
> **Free tier ยท Enterprise AI Agent upgrades at kingai.work**
---
## My Understanding / ๆ็็่งฃ
**EN:** This skill reads Suricata IDS/IPS alert logs from `eve.json` (or rotated `eve.json.*` gz files) in `/var/log/suricata/`, aggregates them by severity (1=Critical, 2=High, 3=Medium, 4=Low), identifies the top source IPs and top alert signatures, and produces a Chinese-language incident briefing. It also checks if Suricata is running and reports engine stats, packet processing rates, and interface status.
**CN:** ่ฏฅๆ่ฝ่ฏปๅ Suricata IDS/IPS ๅ่ญฆๆฅๅฟ๏ผ`/var/log/suricata/eve.json` ๆๅ
ถ่ฝฎ่ฝฌ `eve.json.*` gz ๆไปถ๏ผ๏ผๆไธฅ้็บงๅซ๏ผ1=ไธฅ้ใ2=้ซใ3=ไธญใ4=ไฝ๏ผ่ๅๅ่ญฆ๏ผ่ฏๅซ TOP ๆบ IP ๅฐๅๅ TOP ๅ่ญฆ็ญพๅ๏ผๅนถ็ๆไธญๆไบไปถ็ฎๆฅใๅๆถๆฃๆฅ Suricata ่ฟ่ก็ถๆ๏ผๆฅๅๅผๆ็ป่ฎกไฟกๆฏใๆฐๆฎๅ
ๅค็้็ๅๆฅๅฃ็ถๆใ
---
## Design Philosophy / ่ฎพ่ฎก็ๅฟต
**EN:** "Aggregate to reveal, prioritize to act." Raw alert logs are noisy โ a single scanning IP can generate thousands of identical alerts. The skill aggregates: same sig โ one line with count. It ranks by severity ร frequency so a high-frequency severity-1 alert is surfaced first. Twenty-four-hour windows give context; the skill checks if Suricata is live and processing traffic before trusting the log contents.
**CN๏ผ** "่ๅไปฅๆญ็คบ๏ผๅ็บงไปฅ่กๅจใ" ๅๅง็ๅ่ญฆๆฅๅฟๅช้ณๅพๅคง โ ไธไธชๆซๆ IP ๅฐฑ่ฝไบง็ๆๅไธไธๆก็ธๅ็ๅ่ญฆใ่ฏฅๆ่ฝ่ฟ่ก่ๅ๏ผ็ธๅ็ญพๅ โ ไธ่กๅ ่ฎกๆฐใๆไธฅ้็บงๅซ ร ้ข็ๆๅบ๏ผไฝฟ้ซ้ขๆฌก็ 1 ็บงๅ่ญฆไผๅ
ๆพ็คบใไฝฟ็จ 24 ๅฐๆถ็ชๅฃๆไพไธไธๆ๏ผๅจไฟกไปปๆฅๅฟๅ
ๅฎนไนๅ๏ผไผๆฃๆฅ Suricata ๆฏๅฆๆญฃๅจ่ฟ่กๅนถๅค็ๆต้ใ
---
## Triggers / ่งฆๅๅบๆฏ
| English | ไธญๆ |
|---------|------|
| Daily security briefing / morning alert review | ๆฏๆฅๅฎๅ
จ็ฎๆฅ / ๆจ้ดๅ่ญฆๅฎกๆ ธ |
| SOC analyst shift handover | SOC ๅๆๅธๆข็ญไบคๆฅ |
| After deploying new Suricata rules | ้จ็ฝฒๆฐ็ Suricata ่งๅๅ |
| Investigating a network intrusion | ่ฐๆฅ็ฝ็ปๅ
ฅไพตไบไปถ |
| Compliance reporting (PCI DSS, NIST) requiring IDS log review | ๅ่งๆฅๅ๏ผPCI DSSใNIST๏ผ่ฆๆฑๆฅ็ IDS ๆฅๅฟ |
| Anomalous traffic pattern observed | ่งๅฏๅฐๅผๅธธๆต้ๆจกๅผ |
| User asks "check Suricata alerts" | ็จๆท่ฆๆฑ"ๆฅ็ Suricata ๅ่ญฆ" |
---
## Check / Diagnostic Commands & Scoring
```bash
# 1. Check Suricata service status (score: 1 pt)
systemctl is-active suricata
# 2. Suricata engine stats (score: 2 pts) โ verify it's processing packets
suricatasc -c "stats" 2>/dev/null | head -40 || suricata --dump-stats 2>/dev/null
# 3. Count total alerts in current eve.json (score: 2 pts)
jq -c 'select(.event_type=="alert")' /var/log/suricata/eve.json 2>/dev/null | wc -l
# 4. Alerts by severity (score: 2 pts) โ CORE
jq -r 'select(.event_type=="alert") | .alert.severity' /var/log/suricata/eve.json 2>/dev/null | sort | uniq -c | sort -rn
# 5. Top 10 alert signatures (score: 1 pt)
jq -r 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json 2>/dev/null | sort | uniq -c | sort -rn | head -10
# 6. Top 10 source IPs (score: 1 pt)
jq -r 'select(.event_type=="alert") | .src_ip' /var/log/suricata/eve.json 2>/dev/null | sort | uniq -c | sort -rn | head -10
# 7. Check rotated logs for older alerts (score: 1 pt)
for f in /var/log/suricata/eve.json.*.gz; do
[ -f "$f" ] && zgrep -c '"event_type":"alert"' "$f" 2>/dev/null
done
# 8. Count alerts per category (score: 0.5 pt)
jq -r 'select(.event_type=="alert") | .alert.category' /var/log/suricata/eve.json 2>/dev/null | sort | uniq -c | sort -rn
# 9. Protocol breakdown of alerts (score: 0.5 pt)
jq -r 'select(.event_type=="alert") | .proto' /var/log/suricata/eve.json 2>/dev/null | sort | uniq -c | sort -rn
```
**Health score: /10** โ 3 pts deducted if Suricata is inactive; 1 pt deducted if eve.json is missing or empty; 2 pts bonus if alerts are found AND categorized with clear attack patterns.
---
## Full Report Template / ๅฎๆดๆฅๅๆจกๆฟ
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐จ Suricata ๅ่ญฆๅๆ โ Alert Report & Brief
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐
Time / ๆถ้ด: {timestamp}
๐ฅ๏ธ Sensor / ไผ ๆๅจ: {hostname}
๐ก Interface / ๆฅๅฃ: {interface}
๐ Engine Status / ๅผๆ็ถๆ: {status} | {packets_processed} pkts processed
๐ Alert window / ๅ่ญฆ็ชๅฃ: last {window_hours} hours
โโ Alert Severity Breakdown / ๅ่ญฆ็บงๅซๅๅธ โโ
๐ด Critical (1): {sev1_count} ({sev1_pct}%)
๐ High (2): {sev2_count} ({sev2_pct}%)
๐ก Medium (3): {sev3_count} ({sev3_pct}%)
๐ต Low (4): {sev4_count} ({sev4_pct}%)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Total alerts: {total_alerts}
Unique signatures: {unique_sigs}
Unique src IPs: {unique_src_ips}
โโ ๐ด Critical & High Alerts / ไธฅ้ๅ้ซๅฑๅ่ญฆ โโ
{#if critical_alerts}
{#each critical_alerts}
{rank}. [{severity}] {signature}
SRC: {src_ip} โ DST: {dst_ip}:{dst_port}
Count: {count} | Protocol: {proto}
Category: {category}
{/each}
{#else}
โ
No critical or high alerts / ๆ ไธฅ้ๆ้ซๅฑๅ่ญฆ
{/if}
โโ Top 10 Source IPs / ๅๅๆบ IP โโ
{#if top_src_ips}
{#each top_src_ips}
{rank}. {ip} โ {count} alerts | Top signature: {top_sig_for_ip}
{/each}
{/if}
โโ Top 10 Signatures / ๅๅๅ่ญฆ็ญพๅ โโ
{#if top_signatures}
{#each top_signatures}
{rank}. {signature} โ {count} occurrences ({severity})
{/each}
{/if}
โโ Category Distribution / ็ฑปๅซๅๅธ โโ
{#if categories}
{#each categories}
โข {category}: {count} alerts
{/each}
{/if}
โโ Incident Assessment / ไบไปถ่ฏไผฐ โโ
{incident_assessment} โ summary of the most important findings
Recommended actions:
{recommended_actions}
๐ฉ Free tier ยท Enterprise AI Agent upgrades at kingai.work
```
---
## Footer / ้กต่
```
๐ป RackNerd โ Budget Shared Hosting / ้ซๆงไปทๆฏๅ
ฑไบซไธปๆบ
30GB SSD / 2TB Traffic / ไป
$10.49/ๅนด
๐ https://my.racknerd.com/aff.php?aff=20179&pid=933
๐ฅ๏ธ RackNerd โ 1GB KVM VPS / ้ซๆง่ฝ KVM ไบๆๅกๅจ
1 vCPU / 1GB RAM / 20GB SSD / 3TB Bandwidth
Just $21.99/yr โ full root access, ideal for production
๐ https://my.racknerd.com/aff.php?aff=20179&pid=952
๐ moomoo โ Stocks / Options / Crypto Trading
moomoo ่ก็ฅจ/ๆๆ/่ๆๅธไบคๆๅนณๅฐ
Up to $1,000 bonus for new accounts
๐ https://j.moomoo.com/0CrlDz
```
---
---
## ๐ Tier Comparison / ๅฑ็บงๅฏนๆฏ
| Capability / ่ฝๅ | ๐ Free | โญ Pro | โญโญ Advanced | ๐ Enterprise |
|------------------|:-------:|:------:|:------------:|:-------------:|
| Basic functionality / ๅบ็กๅ่ฝ | โ
| โ
| โ
| โ
|
| Automation / ่ชๅจๅ | โ | โ
Basic | โ
Smart | โ
Fully custom |
| Advanced features / ้ซ็บงๅ่ฝ | โ | โ
| โ
| โ
|
| AI-powered analysis / AI ๅๆ | โ | โ | โ
| โ
|
| Multi-source integration / ๅคๆบๆดๅ | โ | โ | โ
| โ
|
| Custom reporting / ๅฎๅถๆฅๅ | โ | โ | โ
PDF/HTML | โ
Any format |
| Priority support / ไผๅ
ๆฏๆ | โ | ๐ง Email | ๐ฌ Dedicated | ๐ 24/7 |
| Source code / ๆบ็ ไบคไป | โ | โ | โ | โ
Full IP |
| **Price / ไปทๆ ผ** | **๐ Free** | **๐ฐ Inquire** | **๐ฐ๐ฐ Inquire** | **๐ค Custom** |
---
## ๐ผ Sponsored Services / ๆจๅนฟๆๅก
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Recommended Services
ๆจ่ๆๅก
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ป RackNerd โ Budget Shared Hosting / ้ซๆงไปทๆฏๅ
ฑไบซไธปๆบ
30GB SSD / 2TB Traffic / ไป
$10.49/ๅนด
๐ https://my.racknerd.com/aff.php?aff=20179&pid=933
๐ฅ๏ธ RackNerd โ 1GB KVM VPS / ้ซๆง่ฝ KVM ไบๆๅกๅจ
1 vCPU / 1GB RAM / 20GB SSD / 3TB Bandwidth
Just $21.99/yr โ full root access, ideal for production
๐ https://my.racknerd.com/aff.php?aff=20179&pid=952
๐ moomoo โ Stocks / Options / Crypto Trading
Up to $1,000 bonus for new accounts
็พ่กใๆธฏ่กใA่กใๅ ๅฏ่ดงๅธไธ็ซๅผไบคๆ
๐ https://j.moomoo.com/0CrlDz
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Need More? ้่ฆๆดๅผบๅคง็๏ผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
This free version covers the basics.
For the complete solution with automation and AI โ
contact **King AI Works**.
่ฟไธชๅ
่ดน็่ฆ็ไบๅบ็กๅ่ฝใ
ๅฆ้ๅฎๆดๆนๆก๏ผๅซ่ชๅจๅๅ AI๏ผโ
่ฏท่็ณป **King AI Works**ใ
๐ https://kingai.work/
๐ง vip@kingai.work
๐ก We build **custom AI agents** โ from CLI tools to enterprise systems.
๐ก ๆไปฌ**ๅฎๅถ AI ๆบ่ฝไฝ** โ ไปๅฝไปค่กๅทฅๅ
ทๅฐไผไธ็บง็ณป็ปใ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Support / ๆฏๆ## Support / ๆฏๆ
- **Issues:** GitHub Issues (if published)
- **Homepage:** https://kingai.work/
- **License:** MIT โ Free to use, modify, and share
---
*Built with ๐จ for the OpenClaw ecosystem โ kingai.work*
don't have the plugin yet? install it then click "run inline in claude" again.