Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
There are many differences between Suricata logs and Zeek logs and so our Hunt queries and Kibana dashboards that were based on Zeek logs don't work as well for Suricata logs. Identify the differences between Suricata logs and Zeek logs and then update parsers, Hunt queries, and Kibana dashboards as necessary.
For example, Zeek logs SSL/TLS traffic as event.dataset:ssl whereas Suricata logs it as event.dataset:tls. We could either change the suricata.tls parser to change event.dataset from tls to ssl OR change the default Hunt query from:
There are many differences between Suricata logs and Zeek logs and so our Hunt queries and Kibana dashboards that were based on Zeek logs don't work as well for Suricata logs. Identify the differences between Suricata logs and Zeek logs and then update parsers, Hunt queries, and Kibana dashboards as necessary.
For example, Zeek logs SSL/TLS traffic as
event.dataset:ssl
whereas Suricata logs it asevent.dataset:tls
. We could either change thesuricata.tls
parser to changeevent.dataset
fromtls
tossl
OR change the default Hunt query from:to:
Looks like we'll also need to improve the
suricata.tls
parser to parse out thetls
field in order to getsni
,version
,ja3
,ja3s
, etc.