Open AakashR2208 opened 4 years ago
Hi @AakashR2208 Could you send an example of an event for testing? I'll add a separate level of threshold for suricata
I added the suricata_lvl_threshold parameter to custom-w2thive.py. If you set the value to 3, events with level 3, 2 and 1 will be sent. Thanks for pointing out the flaw. Does this solve your problem? The severity value is taken from [data.alert.severity]. If you have a different path, you can set it in the line (75) if int (w_alert ['data'] ['alert'] ['severity']) <= suricata_lvl_threshold I did not specify this parameter separately because I think that it matches yours.
Hi Thanks for updating the script. This is an example log that is fired up for suricata tls.
{
"_index": "wazuh-alerts-3.x-2020.06.29",
"_type": "_doc",
"_id": "",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "",
"name": "wazuh"
},
"input": {
"type": "log"
},
"agent": {
"ip": "",
"name": "",
"id": "",
"labels": {
"operating": {
"system": ""
},
"group": ""
}
},
"manager": {
"name": ""
},
"data": {
"in_iface": "enp3s0",
"src_ip": "",
"src_port": "",
"event_type": "tls",
"flow_id": "",
"dest_ip": "",
"proto": "TCP",
"tls": {
"session_resumed": "true",
"version": "TLS 1.2",
"sni": ""
},
"dest_port": "",
"timestamp": "2020-06-29T21:40:31.724337+0000"
},
"rule": {
"firedtimes": 8065,
"mail": false,
"level": 3,
"description": "Suricata: TLS.",
"groups": [
"ids",
"suricata"
],
"id": "86604"
},
"location": "/var/log/suricata/eve.json",
"decoder": {
"name": "json"
},
"id": "",
"timestamp": "2020-06-29T21:40:32.504+0000"
},
"fields": {
"data.timestamp": [
"2020-06-29T21:40:31.724Z"
],
"timestamp": [
"2020-06-29T21:40:32.504Z"
]
}
As you can see I do not have a data.alert.severity field in my alert. What if I only use the rule.groups field. Would that not do it though?
Thanks Aakash
can you try to change this (75) if int (w_alert ['data'] ['alert'] ['severity']) <= suricata_lvl_threshold to this (75) if int (w_alert ['rule'] ['level']) <= suricata_lvl_threshold and check the correct execution? Indeed, only rule.groups can be checked, but even in a small network, suricata creates many events. By setting the level you can reduce this number. I chose the data.alert.severity field because the rule level in the same event did not match for me "rule": { "level": 3,
"alert": { "severity": "2", I decided that using data.alert.severity would be more correct. I have doubts that I understood you correctly, so I will write this: suricata rules create events with rule.level from 3 to 0. The most important level is 0. The most unimportant level is 3. If everything is correct, then you just need to change w_alert ['data'] [ 'alert'] ['severity'] on w_alert ['rule'] ['level'] and set suricata_lvl_threshold = 3. Integration will send events with groups ['suricata', 'ids'] and level 3 or lower (all). If I misunderstood you and you need a different solution, please tell me
Hi Vadim,
I changed the code on lin 75 to just
if w_alert['rule']['groups']==["ids","suricata"] or int (w_alert ['rule'] ['level']) <= lvl_threshold:
send_alert.
...
And the alerts seems to coming on the Hive. For some reason some alerts do not have the data.alert.severity field and in others its not consistent so I decided not to use that field for filtering. I'll now fix this filed issue with my alerts.
Thank you so much for helping me with this! Aakash
Hi Vadim,
The suricata alerts were coming in fine but there was just a lot that suricata was giving to wazuh. So, I analyzed the alerts on wazuh a little more and found the data.alert.severity field in my suricata wazuh alerts. Then, I tried using your suggestion to use that field to further filter out the suricata alerts . On line 75, I changed the script to
if int(w_alert['data']['alert']['severity'])<=suricata_lvl_threshold:
send_alert(alert, thive_api)
if int(w_alert['rule']['level'])>=lvl_threshold:
send_alert(alert, thive_api)
After restarting the cluster I'm getting the error:
2020-07-07 15:27:44,582 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 166, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 75, in main
if int(w_alert['data']['alert']['severity'])<=suricata_lvl_threshold:
KeyError: 'alert'
I checked the wazuh alert and it has the data.alert.severity field but the hive api does not seem to parse it properly. Could you please suggest how to remove this error?
I can also give an example log for you to test.
Thanks Aakash
Hi @AakashR2208 Thanks for your message (: The problem is that data.alert.severity is only in event-type "alert" (https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-format.html#event- type-alert). I will add a check for the presence of this field today or tomorrow. You will receive only event-type alert from suricata. If you need other event-type (http, dns, ftp, etc.) please tell about it. I will try to come up with another solution.
P. S. I find that most of the "noise" make events with a other type than "alert"
Hey,
Thanks for replying. I just want the alert type 'Suricata: alert'. The way I had it before with only rule.groups filter, theHive was flooded with suricata: dns,http and tls. I wanted a way to remove those and just have alerts go to theHive.
It would be great if you could fix that.
I updated the repository. Now you will receive alerts from suricata only event.type: alert. To limit the level of suricata events sent, you can set suricata_lvl_threshold. I hope this solves your problem. But if not, we will find a better solution (:
Hi Vadim,
Thanks for updating the script. Its working fine now. I am only getting the actual suricata alerts and not all the noise.
Cheers Aakash
Hi Vadim,
Thanks for your python script. I am using it with wazuh to forward all alerts to theHive. I also have integrated suricata with wazuh so as all the suricata alerts are seen on wazuh. I tried adding suricata alerts to be forwarded to theHive but it doesn't seem to be working.
Here's what I did: In the custom-w2thehive.py file I added the the following condition:
if w_alert['rule']['groups']==["ids","suricata"]
with the already exisitng condition of lvl_threshold.But here's the catch, suricata has alerts from 1-3, 1 being the highest severity which works against the lvl_threshold and the python script. I cannot just change the threshold to 1 which will flood my theHive. Is my conditional statement correct or do I need to do something else?
Thank you Aakash