Skip to main content

EveCtl - Suricata & EveBox Launcher/Controller/Manager Whatever

EveCtl is a tool to help easily manager Suricata and EveBox on Linus systems using containers with Docker or Podman.

Like Simple-IDS it attempts be simple for the standalone use case, but helps with more advanced use cases as well such as:

  • Using a bundled (containerized) Elasticsearch server, or an external Elasticsearch server if you already have one.
  • EveBox Server only mode, if you wish to separate the server side from the sensors.
  • Agent mode which runs Suricata and uses the EveBox Agent to send events to an EveBox server.

Simple-IDS is a tool to easily run Suricata and EveBox on Linux systems using Docker or Podman.

Limitations:

  • Currently only runs on Linux.

  • Still experimental.

System Requirements

In order to use Simple-IDS you will need a Linux machine that has a network interface that is already seeing the traffic you want to monitor. In the simplest of scenarios, this could be the primary network interface on your Linux machine that only sees the traffic to and from that machine itself.

As for the Linux machine itself, it could be any x86_64, or Arm64 Linux machine that has a working installation of Docker or Podman, which should be just about any Linux distribution actively maintained in 2025.

You will also need root access, as that is a requirement for Suricata to get the low level access it needs to network interfaces.

Installation

  • First choose a directory where the configuration data files can exist. This could be anywhere, but a new directory is recommended. For these installation instructions we will use ~/evectl.
mkdir ~/evectl
cd ~/evectl
curl -sSf https://evebox.org/evectl.sh | sh

Or download directly from https://evebox.org/files/evectl/.

Once you have the program downloaded, run it:

./evectl

Under the configure menu select your network interface, select "Start" from the main menu then point your browser at http://127.0.0.1:5636.

External Access

If running EveCtl on something like your Linux based firewall, router or server you may want to explore the menu options for enabling external access.

GitHub, Questions, etc...

For more current information, or to ask a question see the GitHub project for Simple-IDS: