pevma
commented
4 years ago You mean the metadata of the signature itself right?
Open ManuelFFF opened 4 years ago
pevma
commented
4 years ago You mean the metadata of the signature itself right?
ManuelFFF
commented
4 years ago If by "metadata" you refer to the metadata field in the screenshot, I think I am looking for something else, or maybe not all the metadata information is shown there. I am not sure, how Scirius does it, but when I search for signatures in Scirius and type "Scan" for example, to create a filter and group IDs related to "Scan" type of attacks, I got a list of many IDs, that can explicit include in their "Message" field the word "Scan", but also other IDs that does not say "Scan", but "Malware" or "Brute Force" or "Trojan", but per Scirius all of them are related to Scan attacks. And basically that's what I need.
So far I have been doing those searches in Scirius, then manually copying the IDs, then adding/updating filters in Kibana. This may not be efficient, but in part solves my needs. The issue is that these signature IDs are updated very often in Suricata, so in as little time as hours or a couple of days, the filters I made become obsolete or do not contain the latest rule IDs available in Suricata.
That is why I need either of the following options (or could even accept new ideas): 1- A way to automate the filter content updates in Kibana from Scirius/Suricata. 2- Add an extra field to index "logstash-alert- *", where the signatures are classified as "Brute Force", "Scan", "C&C", etc, for just give a couple of examples. By doing this my visualizations in Kibana will only need to filter by this field (lets call it "alert.type" (or "alert.group")) and this will reduce tremendously the load I am currently pushing to Kibana.
Please feel free to ask if you need more details/feedback, tests, etc.
Thank you
ManuelFFF
commented
4 years ago Any new comment on this?
pevma
commented
4 years ago I looked into the logs and i dont see anywhere where we could select/filter on classification. However , i think if the rule itself is enabled to be logged for the alert it can be selected that way.
ManuelFFF
commented
4 years ago Hi,
Is there a way your team could use/implement what ELK Team proposes?
https://discuss.elastic.co/t/suricata-rulsets-updates-and-kibana/233809
All I need is that every alert from Suricata have an addition field containing the type of attack (lets call it "alert.type" or "alert.group"), so I can do a simple filter for visualizations. I think this may be done in Suricata, or in Logstash, but I am not an expert :P.
Type of attacks could be: BruteForce, Ransomware, C&C, Botnet, Scan, etc.
pevma
commented
4 years ago I'll look into this. Please feel free to ping me on the jabber/help channel for more info if needed.
ManuelFFF
commented
4 years ago Will do. Thank you for your great support!
ManuelFFF
commented
4 years ago Hi @pevma ,
Any update on this?
Thank you
pevma
commented
4 years ago I cant really come up with smooth way to automate this that can be replicated for any set up. Ideas are welcome.
ManuelFFF
commented
4 years ago Hi @pevma ,
Oh I'm sorry to hear this. I was hoping that you and your team would find a way to address this or take advantage of the latest suggestion from the ELK contributor.
I confess that I am not an advanced user of Suricata, nor of ELK stack, that is why I like so much SELKS and you are my hope.
The only idea that comes to my mind is adding a new field to the Suricata log while it is being processed in Logstash, before being sent to the index in ELK:
if {[condition to check] {
mutate {add_field => {"attack_type" => "Brute Force"}}
}
if {[condition to check] {
mutate {add_field => {"attack_type" => "C&C"}}
}
.
.
.What is not very clear to me is the condition for the "if", but I think it must be related to the "SID" or "Message" of each rule in Suricata.
Hope this helps in some way.
Thank you
Hi,
I've defined a number of visualizations in Kibana, which use the signature IDs from Suricata. Initially I made a series of manual filters by ID and the visualizations look good, showing the information I need.
The problem is that these signature IDs are updated very often in Suricata, so in as little time as hours or a couple of days, the filters I made become obsolete or do not contain the latest rule IDs available in Suricata.
Not incorporating these new IDs into my visualizations is a big problem for me, so I'm looking for a way that I can automate updating these filters from Scirius or Suricata to Kibana.
Is there a way to achieve this automation process?
As a note I comment that, in my opinion, it would be best if the information I need was already included in the index "logstash-alert- *" in the form of an additional field. This way, I would not have to do any filter in Kibana and would only show this new field, since the alerts would be categorized as they were being indexed.. But unfortunately, I don't know how to achieve this either.
Example:
(it already exists) alert.category: Attempted Denial of Service alert.signature: ET SCAN Possible SSL Brute Force attack or Site Crawl alert.signature_id: 2001553
(to add) alert.type (or alert.group): Brute Force attack
Either having to use my filters or using the index enhancement (if become available) I should be able to move forward, so any help is welcome.
Thank you