Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

enugeelumpfz
Engager
‎02-15-2017 02:09 PM

Hi Everyone,

We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterprise Security.
What are the best practices of implementing Suricata Alerts into Splunk Enterprise Security App structure, should we configure fastlog or json for better(default) recognition?
How does it fits, is there specific Correlations and Visualizations for this type?

Reply
1 Solution
Solved! Jump to solution
Solution

atellez_splunk
Splunk Employee
Splunk Employee
‎02-15-2017 02:27 PM

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

View solution in original post

Reply
Solved! Jump to solution

niemesrw
Path Finder
‎02-15-2017 02:29 PM

Hi aaraneta - we use suricata and have done the following:

install the TA: https://splunkbase.splunk.com/app/2760/

Configure suricata.yaml to log eve.json:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONFormat

Configure a UF on the sensor to read the eve.json file:
inputs.conf:
index = suricata
sourcetype = suricata
disabled = false

The app is CIM compatible so it should show up in your datamodels. If not, you might need to restrict the DM constraints to the index or sourcetypes you're using.

Reply
Solved! Jump to solution

fwijnholds_splu
Splunk Employee
Splunk Employee
‎03-22-2018 04:03 AM

I downvoted this post because this ta is not cim compliant

0 Karma
Reply
Solved! Jump to solution

ChadLangUAB
Path Finder
‎08-31-2020 08:33 AM

Is it still the case that the inputs & props included in the "Splunk TA for Suricata" are not CIM-compliant?

https://splunkbase.splunk.com/app/2760/#/details

If not CIM compliant, has anyone indexed these events in an ES CIM-compliant format without reinventing the wheel?

 

Thanks in advance!

0 Karma
Reply
Solved! Jump to solution

enugeelumpfz
Engager
‎02-21-2017 11:21 AM

So if I understand correctly ES contains some scope of Correlations and views for IDS Datamodel not specifically for Suricata?
Is there any kind of intelligence based on signatures in ES to re-assign or interpret severities (Priority value) Suricata alerts differently from how it is marked in Suricata (e.g. we consider some Alerts should have lower Priority) or it's just inheriting from input values ?

0 Karma
Reply
Solved! Jump to solution
Solution

atellez_splunk
Splunk Employee
Splunk Employee
‎02-15-2017 02:27 PM

The Suricata TA currently supports CIM mappings for the eve.json output only. Fast.log does not have nearly all of the key value information needed for Enterprise Security - from what I can recall. The json option is also natively recognized by Splunk, so in the event you need to search against the raw data it will have syntax highlighting.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...