Ingest IDS logs about redelk HOT 7 CLOSED

@dmaynor that would be really specific to your setup, but you could create an alarm to correlate the information (we're currently working on a modular alarm system).

You can check the maindev branch in elkserver\docker\redelk-base\redelkinstalldata\scripts\modules for examples.
Basically, you could search in rtops and redirtraffic for elements that have been seen in your suricata index.

from redelk.

Interesting idea. So if I understand you correctly you would like to have the logs from Suricata ingested and accessible via the Kibana interface of RedELK?

I have no recent practical experience with Suricata. Where does it store the logs, and in what format? Got any example logs?

from redelk.

You could try the filebeat module for suricata: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-suricata.html

from redelk.

That is what I am doing. I can contribute my suricata and file beat config if it would be helpful.

from redelk.

Interesting idea. So if I understand you correctly you would like to have the logs from Suricata ingested and accessible via the Kibana interface of RedELK?

I have no recent practical experience with Suricata. Where does it store the logs, and in what format? Got any example logs?

They are generally in /var/log/suricata/.

vagrant@logger:/var/log/suricata$ ls -lrth
total 96K
drwxr-xr-x 2 root root 4.0K Oct  8 18:08 files
drwxr-xr-x 2 root root 4.0K Oct  8 18:08 core
drwxr-xr-x 2 root root 4.0K Oct  8 18:08 certs
-rw-r--r-- 1 root root    0 Oct 28 16:52 fast.log
-rw-r--r-- 1 root root  12K Oct 28 16:53 stats.log
-rw-r--r-- 1 root root  46K Oct 28 16:53 eve.json
-rw-r--r-- 1 root root  19K Oct 28 16:53 suricata.log
-rw-r--r-- 1 root root 1.5K Oct 28 16:53 suricata-start.log
vagrant@logger:/var/log/suricata$ 

This is what a fresh install from deb looks like. The config file is in /etc/suricata/suricata.yaml. Normally in a config you define your "home" network. This helps with rule processing to detect attacks targeting your network. For this I put my target as the home, that way I get logs that would show me what a hunter would see. An example from my setup:

vars:
   address-groups:
    HOME_NET: "[10.10.10.0/24]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"29.36

This is from a setup I use for Hackthebox. Their target boxes are mostly in the 10.10.10x range.

Back to /var/log/suricata. The 3 main files are eve.json,, fast.log, suricata,log. These are logs of me doing nmap -A against a HTB box with an IP of 10.129.29.36.
-fast.log will be a single line of an event that fires.
-suricata.log holds info about the operations of suricata like start/stop/etc.
-eve.json is a catch all file for everything in a json format. This isn't just alerts it all logs stats, flow information, pretty much anything you can imagine and configure in suricata.yaml.

I use filebeat now to copy eve.json. Filebeat has a suricata module: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-suricata.html
I am happy to share anything I am doing or even give access tot he VM image I am running. What I am not aware of is how it could correlate with other data you are ingesting. I attached a zip of the files I mention as examples.
suricata.tar.gz

from redelk.

My hope is to highlight better redteam tradecraft for all users. If your own redelk instance is flagging your traffic then you have a 50/50 chance a blue team will as well.

from redelk.

Closing due to inactivity and other priorities, feel free to re-open if still relevant

from redelk.