← Back to Skills Marketplace
Suricata IDS Monitor
by
infectit007
· GitHub ↗
· v1.0.0
· MIT-0
79
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install suricata-monitor
Description
Read and triage Suricata IDS/IPS alerts from eve.json into a structured threat report — severity-ranked findings, attacker IPs, top triggered signatures, and...
Usage Guidance
This skill appears to do what it claims (parse /var/log/suricata/eve.json and make a report), but there are several red flags you should review before installing or running it: 1) The SKILL.md contradicts itself — it says "No data leaves your machine" yet includes example code that posts reports to Telegram (which would require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID). Treat those env vars as sensitive. 2) The doc suggests using 'sudo chmod 644 /var/log/suricata/eve.json' — that relaxes file permissions and can expose sensitive logs to other local users; prefer safer alternatives (add the agent user to the appropriate group or use setfacl) instead of world-readable chmod. 3) The cron scheduling example would make the skill run periodically; only add such a schedule if you trust the skill and have reviewed where reports will be sent and stored. 4) The skill references other skills (telegram-notifier, eva-security-audit) without declaring dependencies; verify those integrations before use. 5) Because the skill source and homepage are unknown, consider running it manually in a controlled environment first, avoid providing Telegram tokens until you confirm expected behavior, and inspect any files written to 'memory/' or other paths. If you need higher assurance, request the skill author/source, or have someone review the SKILL.md and test commands in a sandboxed/non-production host.
Capability Analysis
Type: OpenClaw Skill
Name: suricata-monitor
Version: 1.0.0
The suricata-monitor skill is a security utility designed to parse local Suricata IDS logs (/var/log/suricata/eve.json) and generate actionable threat reports. It provides Python logic for log aggregation, severity ranking, and optional delivery to Telegram using environment variables. While the documentation contains a minor contradiction by claiming no data leaves the machine while providing a Telegram integration snippet, the code is transparent, lacks obfuscation, and performs actions consistent with its stated purpose of security monitoring and incident response.
Capability Assessment
Purpose & Capability
The skill's stated purpose (parse local Suricata eve.json and produce a report) matches the code in SKILL.md. However the doc explicitly says "No external API" and "No data leaves your machine" while also including a Telegram delivery example that posts the full report to api.telegram.org. The skill also references other skills (telegram-notifier, eva-security-audit) without declaring those integrations. These contradictions are unexplained and warrant caution.
Instruction Scope
Instructions primarily read /var/log/suricata/eve.json (expected) and build reports, but they also: 1) suggest changing file permissions with 'sudo chmod 644' (alters system ACLs and widens access to a sensitive log), 2) show sending the report to Telegram (external network transfer), 3) write reports into a 'memory/' directory, and 4) include a cron scheduling example that would make the skill run periodically. These steps expand scope beyond read-only analysis and are not fully justified in the metadata.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes extra installed code. There is no download or execution of remote artifacts in the SKILL.md itself.
Credentials
The skill metadata declares no required environment variables, but the delivery example uses os.environ['TELEGRAM_BOT_TOKEN'] and TELEGRAM_CHAT_ID — sensitive credentials that would enable external posting of potentially sensitive logs. The SKILL.md neither declares nor documents these env vars or the privacy implications. The suggestion to run sudo commands (chmod and ufw block commands as recommended actions) further escalates required privileges.
Persistence & Privilege
always is false (good), but the SKILL.md includes explicit instructions to add a cron job via 'openclaw cron add', which would schedule recurring runs. While scheduling is user-initiated, it increases persistence and potential blast radius if the skill is later misused. The document also recommends changing file permissions with sudo, which grants broader system access to the log file.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install suricata-monitor - After installation, invoke the skill by name or use
/suricata-monitor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release. Reads Suricata eve.json alerts, ranks by severity, surfaces top attacker IPs and signatures, delivers GREEN/YELLOW/RED threat report. No external API required.
Metadata
Frequently Asked Questions
What is Suricata IDS Monitor?
Read and triage Suricata IDS/IPS alerts from eve.json into a structured threat report — severity-ranked findings, attacker IPs, top triggered signatures, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 79 downloads so far.
How do I install Suricata IDS Monitor?
Run "/install suricata-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Suricata IDS Monitor free?
Yes, Suricata IDS Monitor is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Suricata IDS Monitor support?
Suricata IDS Monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Suricata IDS Monitor?
It is built and maintained by infectit007 (@infectit007); the current version is v1.0.0.
More Skills