search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.22k stars 498 forks source link

Improve support for Suricata metadata #2200

Closed dougburks closed 3 years ago

dougburks commented 3 years ago

There are many differences between Suricata logs and Zeek logs and so our Hunt queries and Kibana dashboards that were based on Zeek logs don't work as well for Suricata logs. Identify the differences between Suricata logs and Zeek logs and then update parsers, Hunt queries, and Kibana dashboards as necessary.

For example, Zeek logs SSL/TLS traffic as event.dataset:ssl whereas Suricata logs it as event.dataset:tls. We could either change the suricata.tls parser to change event.dataset from tls to ssl OR change the default Hunt query from:

event.dataset:ssl | groupby ssl.version ssl.server_name

to:

event.dataset:ssl OR event.dataset:tls | groupby ssl.version ssl.server_name

Looks like we'll also need to improve the suricata.tls parser to parse out the tls field in order to get sni, version, ja3, ja3s, etc.

weslambert commented 3 years ago

suricata.anomaly