Control what fires.
See what fired.
EveBox is the open-source operations suite for Suricata — the IDS/IPS engine that detects threats with rules and emits EVE JSON alerts. Two purpose-built tools cover both halves: EveBox Rules tracks the rules that drive detection, and EveBox triages the alerts they produce in an email-style inbox.
open source · self-hosted or free-hosted · no signup to browse
Suricata is the open-source IDS/IPS/NSM engine that inspects your traffic with detection rules and writes EVE JSON alerts. EveBox is the suite for operating it — upstream and down.
The loop
Two halves of running Suricata — rules in, alerts out, and back again
- 01
Control what fires
EveBox Rules
Choose your rulesets across Emerging Threats, abuse.ch, pawpatrules and more. Search by SID, message or CVE, and read a precise changelog of what changed between updates — so you ship detection you understand.
- 02
Suricata detects
the engine
Suricata runs those rules against live traffic and emits EVE JSON events and alerts. It's the open-source engine the suite wraps — not an EveBox product.
- 03
See what fired
EveBox
The EVE stream lands in the EveBox inbox. Triage alerts like email — archive the noise, star and escalate the real threats, comment for your team — with live updates and severity color-coding.
- 04
Close the loop
back to Rules
An alert that doesn't add up sends you back to EveBox Rules to read the exact rule, its history, and what changed — then back to the inbox to clear it. Detection isn't a setting you flip once; it's a loop you run.
EveBox Rules
Free hosted service · actively evolving
A platform for browsing and managing Suricata rules that retains every version of every rule forever — and shows you exactly what changed in a ruleset between any two updates, in more detail than the upstreams publish themselves.
alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"ET MALWARE Observed DNS Query to CnC Domain";- content:"|03|cdn|04|edge|03|net"; nocase;- classtype:trojan-activity; sid:2034521; rev:6;)+ content:"|03|cdn|05|edgez|03|net"; nocase;+ reference:md5,9f2a...e1; classtype:trojan-activity;+ sid:2034521; rev:7;)Changelogs that beat the source
Diff any ruleset between two updates or across a date range, classified added / modified / removed / enabled / disabled / moved — including the removed rules even Emerging Threats' own update summaries leave out.
Real diffs, not just counts
Full before/after rule text, field-level parsed diffs, rev tracking, and per-kind count summaries — so you see not just that a rule changed but exactly what changed in it.
Permanent, versioned history
A versioned data model keeps every version of every rule forever. Removed rules keep working pages — no dead links when you're chasing why an old alert stopped firing.
Search across many sources
Emerging Threats, abuse.ch, pawpatrules and more from one place. Search by SID, message and CVE, with per-rule detail pages, a sources catalog, and CVE browsing. Press / to jump to search.
Honest change detection
An indexer polls sources roughly hourly and flags real content changes via comment-insensitive, rev-independent hashing — so a broken upstream fetch never fakes a mass removal.
Accounts, stars & hit counters
Sign in with OAuth2 to star rules; per-rule hit counters show what's seen in the wild. Private and curated rulesets, plus rule variants, are in progress.
EveBox
Mature · widely deployed · MIT licensed
EveBox turns Suricata's EVE event firehose into a dark, severity-color-coded inbox you actually clear — archive, star/escalate, and comment on alerts like email, then search the full event history when an incident demands it.
Triage like an inbox
Archive the noise, star and escalate the real threats, and comment for the next analyst — work a noisy feed like email instead of scrolling a flat log.
A real dark SOC table
Severity color-coding (red / amber / green) with timestamps, source and destination IPs, and signature names — the fields an analyst scans first, surfaced first.
Full search + real-time
Search the entire EVE event history, and watch new alerts stream in live over SSE — no manual refresh between sips of coffee.
Zero-dependency or scale-out
Run the embedded SQLite store for a self-contained box, or point it at Elasticsearch / OpenSearch 7+ for larger deployments — with reporting and dashboards on Elasticsearch.
One self-contained binary
A Rust / Axum backend and SolidJS UI serving on port 5636. Ship events with the EveBox Agent, or keep your existing Filebeat / Logstash pipeline.
Easy on-ramps
The jasonish/evebox Docker image, RPM/Deb repos, a raw binary, the menu-driven EveCtl, or pre-bundled in ClearNDR Community Edition (formerly SELKS).
Shared DNA
One suite. Two tools. No pretending.
open source · Suricata-native · Rust + SolidJS · self-hosted or free-hosted · by Jason Ish
Open source, no lock-in
EveBox is MIT-licensed; the EveBox Rules web app is AGPL v3. Run them on infrastructure you own — or use the free hosted rule browser. Your data, your call.
Self-host or free-hosted
EveBox is a binary you download and run against your own traffic. EveBox Rules is a free public web service you just open. The front door makes that distinction explicit instead of blurring it.
Rust-fast, analyst-first
Both share a Rust backend and a SolidJS frontend — fast, lean, and built for the operator on shift, not for a sales demo.
Suricata-native, by one author
Both tools speak Suricata's own vocabulary — EVE JSON, rules, rev, SIDs — and both are built by Jason Ish (@jasonish).
Get started
Two tools, two on-ramps
One you run, one you just open. Pick the half you need.
Run EveBox
self-hosted
Self-hosted alert manager — point it at your events and open :5636.
evebox server --datastore sqlite \
--input /var/log/suricata/eve.jsondocker run -it -p 5636:5636 \
jasonish/evebox:latest \
-e http://elasticsearch:9200- RPM / Deb package repositories
- Standalone binary download
- EveCtl — menu-driven Suricata + EveBox + Elasticsearch
- Bundled in ClearNDR Community Edition
Open EveBox Rules
free · hosted
Nothing to install — it's a free, hosted web service.
- Browse and search rules instantly, no account needed
- Diff any ruleset between updates or across a date range
- Sign in with OAuth2 to star rules and track favorites
- Press / anywhere to jump straight to search
FAQ
Common questions
Are EveBox and EveBox Rules the same product?
They're one suite, deliberately built as two focused tools. EveBox (at evebox.org) is the mature alert manager you self-host. EveBox Rules (at rules.evebox.org) is the newer, free hosted rule platform. Same author and DNA — different jobs. This site is just the front door to both.
Is it free?
Yes. EveBox is open source under the MIT license and free to self-host. The EveBox Rules web app is AGPL v3 and runs as a free public hosted service — open it and go.
Do I need Elasticsearch to run EveBox?
No. EveBox ships with an embedded SQLite datastore for self-contained, lighter-load installations. Point it at Elasticsearch / OpenSearch 7+ when you want to scale out, with reporting and dashboards on Elasticsearch.
Where do I download EveBox?
From evebox.org: a Docker image (jasonish/evebox), RPM/Deb repositories, raw binaries, or the menu-driven EveCtl. It's also bundled in ClearNDR Community Edition (formerly SELKS).
What is Suricata?
Suricata is the open-source IDS/IPS/NSM engine that inspects network traffic against detection rules and emits EVE JSON events and alerts. EveBox doesn't replace Suricata — it's the suite for operating the rules it runs and the alerts it produces.