{"id":32213685,"url":"https://github.com/lilithsec/lilith","last_synced_at":"2026-04-01T21:01:47.383Z","repository":{"id":62345274,"uuid":"505047439","full_name":"LilithSec/Lilith","owner":"LilithSec","description":"Reads EVE files into SQL as well as search stored data.","archived":false,"fork":false,"pushed_at":"2026-03-16T00:43:07.000Z","size":92,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-16T11:34:01.489Z","etag":null,"topics":["eve","ids","lae","perl","pie","sagan","security","suricata"],"latest_commit_sha":null,"homepage":"https://metacpan.org/dist/Lilith","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LilithSec.png","metadata":{"files":{"readme":"README.md","changelog":"Changes","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-06-19T08:02:10.000Z","updated_at":"2026-03-16T00:33:34.000Z","dependencies_parsed_at":"2023-11-11T23:27:29.882Z","dependency_job_id":"5c454cd3-9900-4e49-b24b-2f05cf5aba33","html_url":"https://github.com/LilithSec/Lilith","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/LilithSec/Lilith","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LilithSec%2FLilith","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LilithSec%2FLilith/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LilithSec%2FLilith/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LilithSec%2FLilith/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LilithSec","download_url":"https://codeload.github.com/LilithSec/Lilith/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LilithSec%2FLilith/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291946,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eve","ids","lae","perl","pie","sagan","security","suricata"],"created_at":"2025-10-22T07:01:31.672Z","updated_at":"2026-04-01T21:01:47.375Z","avatar_url":"https://github.com/LilithSec.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Lilith\n\nLilith reads in EVE files from Suricata and Sagan into PostgreSQL.\n\nFrom there that data can then be searched and information on specific\nevents fetched.\n\n## Intalation\n\n### Debian\n\n```\napt-get install zlib1g-dev cpanminus libdbi-perl libdbix-class-perl \\\n libdata-dumper-perl libdigest-sha-perl libfile-slurp-perl libjson-perl \\\n libnet-server-perl libpoe-perl libtoml-perl\ncpanm Lilith\n```\n\n### FreeBSD\n\n```\npkg install p5-App-cpanminus p5-DBI p5-DBIx-Class p5-DBD-Pg \\\n p5-Data-Dumper p5-Digest-SHA p5-File-Slurp p5-JSON p5-MIME-Base64 \\\n p5-Net-Server p5-POE p5-Sys-Syslog p5-Term-ANSIColor \\\n p5-Text-ANSITable p5-Time-Piece p5-TOML\ncpanm Lilith\n```\n\n### Source\n\n```\nperl Makefile.PL\nmake\nmake test\nmake install\n```\n\n## Setup\n\nFirst you need to setup your PostgreSQL server.\n\n```\ncreateuser -D -l -P -R -S lilith\ncreatedb -E UTF8 -O lilith lilith\n```\n\nSetup `/usr/local/etc/lilith.toml`\n\n```\ndsn=\"dbi:Pg:dbname=lilith;host=192.168.1.2\"\npass=\"WhateverYouSetAsApassword\"\nuser=\"lilith\"\n# a handy one to ignore for the extend as it is spammy\nclass_ignore=[\"Generic Protocol Command Decode\"]\n\n# add a suricata instance to monitor\n[suricata-eve]\ninstance=\"foo-pie\"\ntype=\"suricata\"\neve=\"/var/log/suricata/alert.json\"\n\n# add a second suricata instance to monitor\n[another-eve]\ninstance=\"foo2-pie\"\ntype=\"suricata\"\neve=\"/var/log/suricata/alert2.json\"\n\n# add a sagan eve to monitor\n# instance name is 'foo-lae', given there is no value for instance\n[foo-lae]\ntype=\"sagan\"\neve=\"/var/log/sagan/alert.json\"\n```\n\nNow we just need to setup the tables.\n\n```\nlilith -a create_tables\n```\n\nIf using snmpd.\n\n```\nextend lilith /usr/local/bin/lilith -a extend\n```\n\n### Config File\n\nThe default config file is `/usr/local/etc/lilith.toml`.\n\n| Variable     | Description                                                                                                            |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| dsn          | A DSN connection string to be used by [DBI][https://metacpan.org/pod/DBI]. [DBD::Pg][https://metacpan.org/pod/DBD::Pg] |\n| pass         | Password to use for the connection.                                                                                    |\n| user         | User to use for the connetion.                                                                                         |\n| class_ignore | Array of classes to ignore.                                                                                            |\n\nSub hashes are then treated as a instance. The following values are\navailable for that.\n\n| Variable | Required | Description                                                        |\n|----------|----------|--------------------------------------------------------------------|\n| eve      | yes      | The EVE file to follow.                                            |\n| type     | yes      | `sagan` or `suricata`, depending on which it is.                   |\n| instance | no       | The name for the instance. If not specified the hash name is used. |\n\n## Options\n\n### SYNOPSIS\n\n```\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e run\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e class_map\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e create_tables\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e dump_self\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e event [B\u003c-t\u003e \u003ctable\u003e] B\u003c--id\u003e \u003crow_id\u003e [B\u003c--raw\u003e]\n[[B\u003c--pcap\u003e \u003coutput file\u003e] [B\u003c--virani\u003e \u003cremote\u003e] [B\u003c--buffer\u003e \u003cbuffer secodns\u003e]]\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e event [B\u003c-t\u003e \u003ctable\u003e] B\u003c--event\u003e \u003cevent_id\u003e [B\u003c--raw\u003e]\n[[B\u003c--pcap\u003e \u003coutput file\u003e] [B\u003c--virani\u003e \u003cremote\u003e] [B\u003c--buffer\u003e \u003cbuffer secodns\u003e]\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e extend [B\u003c-Z\u003e] [B\u003c-m\u003e \u003cminutes\u003e]\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e get_short_class_snmp_list\n\nlilith [B\u003c-c\u003e \u003cconfig\u003e] B\u003c-a\u003e search [B\u003c--output\u003e \u003creturn\u003e] [B\u003c-t\u003e \u003ctable\u003e]\n[B\u003c-m\u003e \u003cminutes\u003e] [B\u003c--order\u003e \u003cclm\u003e] [B\u003c--limit\u003e \u003cint\u003e] [B\u003c--offset\u003e \u003cint\u003e]\n[B\u003c--orderdir\u003e \u003cdir\u003e] [B\u003c--si\u003e \u003csrc_ip\u003e] [B\u003c--di\u003e \u003c\u003cdst_ip\u003e] [B\u003c--ip\u003e \u003cip\u003e]\n[B\u003c--sp\u003e \u003c\u003csrc_port\u003e] [B\u003c--dp\u003e \u003c\u003cdst_port\u003e] [B\u003c--port\u003e \u003c\u003cport\u003e] [B\u003c--host\u003e \u003chost\u003e]\n[B\u003c--ih\u003e \u003chost\u003e] [B\u003c-i\u003e \u003cinstance\u003e] [B\u003c-c\u003e \u003cclass\u003e] [B\u003c-s\u003e \u003csig\u003e] [B\u003c--if\u003e \u003cif\u003e]\n[B\u003c--ap\u003e \u003cproto\u003e] [B\u003c--gid\u003e \u003cgid\u003e] [B\u003c--sid\u003e \u003csid\u003e] [B\u003c--rev\u003e \u003crev\u003e]\n[B\u003c--subip\u003e \u003csubip\u003e] [B\u003c--subhost\u003e \u003csubhost\u003e] [B\u003c--slug\u003e \u003cslug\u003e] [B\u003c--pkg\u003e \u003cpkg\u003e]\n[B\u003c--malscore\u003e \u003cmalscore\u003e] [B\u003c--size\u003e \u003csize\u003e] [B\u003c--target\u003e \u003ctarget\u003e]\n[B\u003c--task\u003e \u003ctask\u003e]\n```\n\n### GENERAL SWITCHES\n\n#### -a action\n\nThe action to perform.\n\n    - Default :: search\n\n#### -c config\n\nThe config file to use.\n\n    - Default :: /usr/local/etc/lilith.toml\n\n#### -t table\n\nTable to operate on.\n\n    - Default :: suricata\n\n=head1 ACTIONS\n\n#### run\n\nStart processing the EVE logs and daemonize.\n\n#### class_map\n\nPrint a table of class mapping from long name to the short name used for display in the search results.\n\n#### create_tables\n\nCreate the tables in the DB.\n\n#### dump_self\n\nInitiate Lilith and then dump it via Data::Dumper.\n\n#### event\n\nFetches a event. The table to use can be specified via -t.\n\n##### --id row_id\n\nFetch event via row ID.\n\n##### --event event_id\n\nFetch the event via the event ID.\n\n#### --raw\n\nDo not decode the EVE JSON.\n\n##### --pcap file\n\nFetch the remote PCAP via Virani and write it to the file. Only usable for with Suricata tables.\n\nDefault :: undef\n\n##### --virani conf\n\nVirani setting to pass to -r.\n\nDefault :: instance name in alert\n\n##### --buffer secs\n\nHow many seconds to pad the start and end time with.\n\nDefault :: 60\n\n\n#### extend\n\nPrints a LibreNMS style extend.\n\n##### -Z\n\nEnable Gzip+Base64 LibreNMS style extend compression.\n\n##### -m minutes\n\nHow far back to search. For the extend action, 5 minutes\nis the default.\n\n##### -d dir\n\nThe directory to write it out too.\n\n#### get_short_class_snmp_list\n\nPrint a list of shorted class names for use with SNMP.\n\n#### search\n\nSearch the DB. The table may be specified via -t.\n\nThe common option types for search are as below.\n\n    - Integer :: A comma seperated list of integers to check for. Any number\n                 prefixed with a ! will be negated.\n    - String :: A string to check for. May be matched using like or negated via\n                the proper options.\n    - Complex :: A item to match.\n    - IP :: An IP.\n\n##### General Search Options\n\n###### --output return\n\nThe output type.\n\n    - Values :: table,json\n    - Default :: table\n\n###### -m minute\n\nHow far back to to in minutes.\n\n    - Default :: 1440\n\n    - Default, extend :: 5\n\n###### --order column\n\nColumn to use for sorting by.\n\n    - Default :: timestamp\n\n    - Cape Default :: stop\n\n###### --orderdir direction\n\nDirection to order in.\n\n    - Values :: ASC,DSC\n    - Default :: ASC\n\n##### IP Options\n\n###### --si src IP\n\nSource IP.\n\n    - Default :: undef\n    - Type :: IP\n\n######  --di dst IP\n\nDestination IP.\n\n    - Default :: undef\n    - Type :: IP\n\n######  --ip IP\n\nIP, either dst or src.\n\n    - Default :: undef\n    - Type :: complex IP\n\n#####  Port Options\n\n###### --sp src port\n\nSource port.\n\n    - Default :: undef\n    - Type :: integer\n\n######  --dp dst port\n\nDestination port.\n\n    - Default :: undef\n    - Type :: integer\n\n###### -p port\n\nPort, either dst or src.\n\n    - Default :: undef\n    - Type :: complex integer\n##### Host Options\n\n    Sagan :: Host is the sending system and instance host is the host the\n             instance is running on.\n\n    Suricata :: Host is the system the instance is running on. There is no\n                instance host.\n\n###### --host host\n\nHost.\n\n    - Default :: undef\n    - Type :: string\n\n##### Instance Options\n\n###### --ih host\n\nInstance host.\n\n    - Default :: undef\n    - Type :: string\n\n##### Instance Options\n\n###### -i  instance\n\nInstance.\n\n    - Default :: undef\n    - Type :: string\n\n##### Class Options\n\n###### -c class\n\nClassification.\n\n    - Default :: undef\n    - Type :: string\n\n##### Signature Options\n\n###### -s sig\n\nSignature.\n\n    - Default :: undef\n    - Type :: string\n\n##### In Interface Options\n\n###### --if if\n\nInterface.\n\n    - Default :: undef\n    - Type :: string\n\n##### App Proto Options\n\n###### --ap proto\n\nApp proto.\n\n    - Default :: undef\n    - Type :: string\n\n##### Rule Options\n\n###### --gid gid\n\nGID.\n\n    - Default :: undef\n    - Type :: integer\n\n###### --sid sid\n\nSID.\n\n    - Default :: undef\n    - Type :: integer\n\n###### --rev rev\n\nRev.\n\n    - Default :: undef\n    - Type :: integer\n\n##### CAPEv2 Options\n\n###### --slug slug\n\nThe slug it was submitted with.\n\n    - Default :: undef\n    - Type :: string\n\n###### --pkg pkg\n\nThe detopnation package used with CAPEv2.\n\n    - Default :: undef\n    - Type :: string\n\n###### --malscore malscore\n\nThe malscore of the sample.\n\n    - Default :: undef\n    - Type :: integer\n\n###### --size size\n\nThe size of the sample.\n\n    - Default :: undef\n    - Type :: integer\n\n###### --target target\n\nThe the detonation target.\n\n    - Default :: undef\n    - Type :: string\n\n###### --task task\n\nThe task ID of the run.\n\n    - Default :: undef\n    - Type :: integer\n\n###### --subip subip\n\nThe IP the sample was submitted from.\n\n    - Default :: undef\n    - Type :: IP\n\n###### --subhost subhost\n\nThe host the sample was submitted from.\n\n    - Default :: undef\n    - Type :: string\n\n## ENVIROMENTAL VARIABLES\n\n### Lilith_table_color\n\nThe L\u003cText::ANSITable\u003e table color to use.\n\n    - Default :: Text::ANSITable::Standard::NoGradation\n\n### Lilith_table_border\n\nThe L\u003cText::ANSITable\u003e border type to use.\n\n    - Default :: ASCII::None\n\n### Lilith_IP_color\n\nPerl boolean for if IPs should be colored or not.\n\n    - Default :: 1\n\n### Lilith_IP_private_color\n\nANSI color to use for private IPs.\n\n    - Default :: bright_green\n\n### Lilith_IP_remote_color\n\nANSI color to use for remote IPs.\n\n    - Default :: bright_yellow\n\n### Lilith_IP_local_color\n\nANSI color to use for local IPs.\n\n    - Default :: bright_red\n\n### Lilith_timesamp_drop_micro\n\nPerl boolean for if microseconds should be dropped or not.\n\n    - Default :: 1\n\n### Lilith_instance_color\n\nIf the lilith instance colomn info should be colored.\n\n    - Default :: 1\n\n### Lilith_instance_type_color\n\nColor for the instance name.\n\n    - Default :: bright_blue\n\n### Lilith_instance_slug_color\n\nColor for the insance slug.\n\n    - Default :: bright_magenta\n\n### Lilith_instance_loc_color\n\nColor for the insance loc.\n\n\t- Default :: bright_cyan.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flilithsec%2Flilith","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flilithsec%2Flilith","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flilithsec%2Flilith/lists"}