← 返回 Skills 市场
Suricata IDS Monitor
作者
infectit007
· GitHub ↗
· v1.0.0
· MIT-0
79
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install suricata-monitor
功能描述
Read and triage Suricata IDS/IPS alerts from eve.json into a structured threat report — severity-ranked findings, attacker IPs, top triggered signatures, and...
安全使用建议
This skill appears to do what it claims (parse /var/log/suricata/eve.json and make a report), but there are several red flags you should review before installing or running it: 1) The SKILL.md contradicts itself — it says "No data leaves your machine" yet includes example code that posts reports to Telegram (which would require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID). Treat those env vars as sensitive. 2) The doc suggests using 'sudo chmod 644 /var/log/suricata/eve.json' — that relaxes file permissions and can expose sensitive logs to other local users; prefer safer alternatives (add the agent user to the appropriate group or use setfacl) instead of world-readable chmod. 3) The cron scheduling example would make the skill run periodically; only add such a schedule if you trust the skill and have reviewed where reports will be sent and stored. 4) The skill references other skills (telegram-notifier, eva-security-audit) without declaring dependencies; verify those integrations before use. 5) Because the skill source and homepage are unknown, consider running it manually in a controlled environment first, avoid providing Telegram tokens until you confirm expected behavior, and inspect any files written to 'memory/' or other paths. If you need higher assurance, request the skill author/source, or have someone review the SKILL.md and test commands in a sandboxed/non-production host.
功能分析
Type: OpenClaw Skill
Name: suricata-monitor
Version: 1.0.0
The suricata-monitor skill is a security utility designed to parse local Suricata IDS logs (/var/log/suricata/eve.json) and generate actionable threat reports. It provides Python logic for log aggregation, severity ranking, and optional delivery to Telegram using environment variables. While the documentation contains a minor contradiction by claiming no data leaves the machine while providing a Telegram integration snippet, the code is transparent, lacks obfuscation, and performs actions consistent with its stated purpose of security monitoring and incident response.
能力评估
Purpose & Capability
The skill's stated purpose (parse local Suricata eve.json and produce a report) matches the code in SKILL.md. However the doc explicitly says "No external API" and "No data leaves your machine" while also including a Telegram delivery example that posts the full report to api.telegram.org. The skill also references other skills (telegram-notifier, eva-security-audit) without declaring those integrations. These contradictions are unexplained and warrant caution.
Instruction Scope
Instructions primarily read /var/log/suricata/eve.json (expected) and build reports, but they also: 1) suggest changing file permissions with 'sudo chmod 644' (alters system ACLs and widens access to a sensitive log), 2) show sending the report to Telegram (external network transfer), 3) write reports into a 'memory/' directory, and 4) include a cron scheduling example that would make the skill run periodically. These steps expand scope beyond read-only analysis and are not fully justified in the metadata.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes extra installed code. There is no download or execution of remote artifacts in the SKILL.md itself.
Credentials
The skill metadata declares no required environment variables, but the delivery example uses os.environ['TELEGRAM_BOT_TOKEN'] and TELEGRAM_CHAT_ID — sensitive credentials that would enable external posting of potentially sensitive logs. The SKILL.md neither declares nor documents these env vars or the privacy implications. The suggestion to run sudo commands (chmod and ufw block commands as recommended actions) further escalates required privileges.
Persistence & Privilege
always is false (good), but the SKILL.md includes explicit instructions to add a cron job via 'openclaw cron add', which would schedule recurring runs. While scheduling is user-initiated, it increases persistence and potential blast radius if the skill is later misused. The document also recommends changing file permissions with sudo, which grants broader system access to the log file.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install suricata-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/suricata-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Reads Suricata eve.json alerts, ranks by severity, surfaces top attacker IPs and signatures, delivers GREEN/YELLOW/RED threat report. No external API required.
元数据
常见问题
Suricata IDS Monitor 是什么?
Read and triage Suricata IDS/IPS alerts from eve.json into a structured threat report — severity-ranked findings, attacker IPs, top triggered signatures, and... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 79 次。
如何安装 Suricata IDS Monitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install suricata-monitor」即可一键安装,无需额外配置。
Suricata IDS Monitor 是免费的吗?
是的,Suricata IDS Monitor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Suricata IDS Monitor 支持哪些平台?
Suricata IDS Monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Suricata IDS Monitor?
由 infectit007(@infectit007)开发并维护,当前版本 v1.0.0。
推荐 Skills