search

SafeAF / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Error Parsing Suricata Alerts via Syslog #134

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1.  Clean install of suricata & ELSA on Ubuntu 12.04 LTS
2.  Send suricata alerts to syslog as "snort" identity
3.  View alerts in ELSA

What is the expected output? What do you see instead?
Suricata alerts tagged as SNORT class in ELSA.  

What version of the product are you using? On what operating system?
Ubuntu 12.04 LTS, Suricata 1.4.1, rsyslog sending from host to syslog-ng 3.3.4 
on ELSA server.  

Please provide any additional information below.
The ELSA server is receiving alerts from host via rsyslog and ingesting them 
into ELSA.  All of the suricata ("snort" identity) alerts are going into the 
ELSA database are in visible in ELSA web UI, but without SNORT class (labeled 
"1" in mysql).  This is happening to all suricata alerts.

I was able to locate this in the node.log:

* WARN [2013/05/07 19:26:52] /usr/local/elsa/node/Reader.pm (368) 
Reader::parse_line 4954 [undef]
Missing required field class id

which appears to batch this alert in the syslog:

May  7 16:19:26 HOSTNAME snort[61751]: [1:2003068:6] ET SCAN Potential SSH Scan 
OUTBOUND [Classification: Attempted Information Leak] [Priority: 2] {TCP} 
1.1.1.1:55555 -> 2.2.2.2:22

I'm guessing this has something to do with the patterndb.xml file, but taking a 
look at it is quite daunting and not quite my forte.  Hoping to get your 2 
cents first :)

Thanks much!

Original issue reported on code.google.com by br...@hurrikane.net on 7 May 2013 at 8:26

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
The problem starts after r862, which adds the following line to syslog-ng.conf:
db-parser(file("/etc/elsa_local_patterndb.xml"));

With that line enabled, suricata alerts are given class=NONE.  Commenting out 
that line restores order.

Original comment by kebut...@gmail.com on 8 May 2013 at 2:50

GoogleCodeExporter commented 8 years ago 
That's too bad, I guess it won't work to have dual patterndb files, though my 
initial testing seemed to suggest otherwise.  I've backed out that change so 
this should work again.

Original comment by mchol...@gmail.com on 8 May 2013 at 3:03