Sunday, February 2, 2014

Suricata IDPS and Common Information Model



Short and to the point.
This patch (shown below) provided in the latest git master at the moment of this writing, by Eric Leblond, makes the output correlation of  log data, generated by Suricata IDPS -> Data Source Integration  CIM compliant.

In other words when using the JSON output for logging in Suricata (available in the current git master plus expected to reach maturity in Suricata 2.0) you can use Logstash and Kibana to query, filter and present log data in a way which will follow the  CIM.

The patch's info:
commit 7a9efd74e4d88e39c6671f6a0dda28ac931ffe10
Author: Eric Leblond <eric@regit.org>
Date:   Thu Jan 30 23:33:45 2014 +0100

    json: sync key name with CIM
   
    This patch is synchronizing key name with Common Information Model.
    It updates key name following what is proposed in:
     http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
    The interest of these modifications is that using the same key name
    as other software will provide an easy to correlate and improve
    data. For example, geoip setting in logstash can be applied on
    all src_ip fields allowing geoip tagging of data.

How? You could try reading the following:
https://home.regit.org/2014/01/a-bit-of-logstash-cooking/

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

No comments:

Post a Comment