After using OSSIM for years I was excited to hear about the release of Siemonster. Performance of the Community Edition of OSSIM is, and always was, a major problem for me.
Siemonster addresses this shortcoming. Unfortunately it was lacking NIDS support. This was a major show stopper for us. Due to the fact that a better option was needed fast I decided to do what I could to get Suricata integrated as fast as possible so we could migrate away from OSSIM.
To that end I located a few Kibana 4 Suricata dashboards to help give me a base to start from and save me some time getting our new SIEM up and running. Below you will find all the info needed to help you get Suricata/Snort integrated into your Siemonster install.
And don't forget, this was an emergency solution and proof of concept project that was put directly into production; so your mileage may vary. If you find that something is missing or incorrect, please let me know. I will be updating this with new info as needed.
Enjoy your new full featured Siemonster and thanks a LOT for the new SIEM solution Chris and Team!
Here is the Kibana 4 Dashboards, Searches and Visualizations for Suricata: suricata-kibana4.json.tar.gz
Logstash was the biggest problem at the beginning to just get to the point where we could actually get information into Kibana. I am sure these configs could be improved and optimized but they work and that was the deciding factor. Now that the SIEM is in production I can invest a bit of time to fix a few things. Just let me know what I could do better. - logstash.tar.gz
All Dashboards in Kibana 4 need to be associated with a specific Indice to be truely effective. In the case of the standard OSSEC board Kibana has the “ossec-*” Index. The Suricata boards need their own as well. Once logstash starts pushing Suricata info into Elastisearch you will be able to add these indices.
suricata-* suricata-alert-* suricata-dns-* suricata-fileinfo-* suricata-flow-* suricata-http-* suricata-smtp-* suricata-ssh-* suricata-stats-* suricata-tls-*
I run Suricata, OSSEC, Nagios NRPE and Filebeat on all Suricata nodes. Currently I have 5 nodes on differing segments and all report back to my Proteus and Icinga installs. I have yet to miss anything that happens on one of those nodes.
Just like OSSEC, we want a JSON log to feed back to Siemonster so we configure as follows:
## ## Step 3: select outputs to enable ## # The default logging directory. Any log or output file will be # placed here if its not specified with a full path name. This can be # overridden with the -l command line parameter. default-log-dir: /var/log/suricata/ # global stats configuration stats: enabled: yes # The interval field (in seconds) controls at what interval # the loggers are invoked. interval: 8 # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" #facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug
Now you have the standard Siemonster OSSEC client running and Suricata. Both are logging JSON logs and are ready to send back to Siemonster. Here is the important Filebeat part of the config:
filebeat: # List of prospectors to fetch data. prospectors: # Each - is a prospector. Below are the prospector specific configurations - # Paths that should be crawled and fetched. Glob based paths. # To fetch all ".log" files from a specific level of subdirectories # /var/log/*/*.log can be used. # For each file found under this path, a harvester is started. # Make sure not file is defined twice as this can lead to unexpected behaviour. paths: - /var/log/suricata/eve.json - /var/ossec/logs/alerts/alerts.json #- /var/log/*.log #- c:\programdata\elasticsearch\logs\*
And the part for logstash. Just make sure to add your IP as needed but port needs to be 3522:
### Logstash as output logstash: # The Logstash hosts hosts: ["XXX.XXX.XXX.XXX:3522"]