====== Siemonster Suricata Integration ======
* UPDATE 1: Uploaded correct Logstash configs.
* UPDATE 2: Uploaded corrected Logstash Suricata Stats template.
After using OSSIM for years I was excited to hear about the release of [[https://siemonster.com/|Siemonster]]. Performance of the Community Edition of OSSIM is, and always was, a major problem for me.
Siemonster addresses this shortcoming. Unfortunately it was lacking NIDS support. This was a major show stopper for us. Due to the fact that a better option was needed fast I decided to do what I could to get Suricata integrated as fast as possible so we could migrate away from OSSIM.
To that end I located a few Kibana 4 Suricata dashboards to help give me a base to start from and save me some time getting our new SIEM up and running. Below you will find all the info needed to help you get Suricata/Snort integrated into your Siemonster install.
And don't forget, this was an emergency solution and proof of concept project that was put directly into production; so your mileage may vary. If you find that something is missing or incorrect, please let me know. I will be updating this with new info as needed.
Enjoy your new full featured Siemonster and thanks a LOT for the new SIEM solution Chris and Team!
===== Kibana JSON =====
Here is the Kibana 4 Dashboards, Searches and Visualizations for Suricata: {{:security:suricata-kibana4.json.tar.gz|}}
===== Logstash Configuration =====
Logstash was the biggest problem at the beginning to just get to the point where we could actually get information into Kibana. I am sure these configs could be improved and optimized but they work and that was the deciding factor. Now that the SIEM is in production I can invest a bit of time to fix a few things. Just let me know what I could do better. - {{:security:logstash.tar.gz|}}
===== Kibana 4 Indices =====
All Dashboards in Kibana 4 need to be associated with a specific Indice to be truely effective. In the case of the standard OSSEC board Kibana has the "ossec-*" Index. The Suricata boards need their own as well. Once logstash starts pushing Suricata info into Elastisearch you will be able to add these indices.
Index Patterns
suricata-*
suricata-alert-*
suricata-dns-*
suricata-fileinfo-*
suricata-flow-*
suricata-http-*
suricata-smtp-*
suricata-ssh-*
suricata-stats-*
suricata-tls-*
===== Suricata Nodes =====
I run Suricata, OSSEC, Nagios NRPE and Filebeat on all Suricata nodes. Currently I have 5 nodes on differing segments and all report back to my Proteus and Icinga installs. I have yet to miss anything that happens on one of those nodes.
==== Suricata Configuration ====
Just like OSSEC, we want a JSON log to feed back to Siemonster so we configure as follows:
##
## Step 3: select outputs to enable
##
# The default logging directory. Any log or output file will be
# placed here if its not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata/
# global stats configuration
stats:
enabled: yes
# The interval field (in seconds) controls at what interval
# the loggers are invoked.
interval: 8
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
==== Filebeat Configuration ====
Now you have the standard Siemonster OSSEC client running and Suricata. Both are logging JSON logs and are ready to send back to Siemonster. Here is the important Filebeat part of the config:
filebeat:
# List of prospectors to fetch data.
prospectors:
# Each - is a prospector. Below are the prospector specific configurations
-
# Paths that should be crawled and fetched. Glob based paths.
# To fetch all ".log" files from a specific level of subdirectories
# /var/log/*/*.log can be used.
# For each file found under this path, a harvester is started.
# Make sure not file is defined twice as this can lead to unexpected behaviour.
paths:
- /var/log/suricata/eve.json
- /var/ossec/logs/alerts/alerts.json
#- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
And the part for logstash. Just make sure to add your IP as needed but port needs to be 3522:
### Logstash as output
logstash:
# The Logstash hosts
hosts: ["XXX.XXX.XXX.XXX:3522"]