So I am running SecurityOnion 16.04 and using Suricata/Zeek.
Suricata - ET Rules/Snort Rules
Zeek - AlienVault OTX.
I have read that other folks are ingesting the rule sets as a seperate index inside of Splunk (say one for OTX, and one for ET).
One how would I go about this, would I pull a new request from the say AlienVault OTX and build the index this way or try and just monitor the file created for the rules (for Zeek, its called bro_otx.dat (which looks to be a TSV file).
I tried to ingest the DAT file but it comes up as Binary.
Have not gotten around to try and ingest the Suricata Rules yet, they are in a file called download.rules
2nd question is there a good reason to ingest the rules seperate from what Zeek/Suricata reports on?