Replies: 5 comments 6 replies
-
@revere521 - At your leisure would you mind providing some raw snort logs along with the enriched output? Looking to add some further enrichment to suricata/snort for utilization of the built-in SIEM. |
Beta Was this translation helpful? Give feedback.
-
Sorry @a3ilson, have been observing a low tech weekend.. here is a whole day (or at least several hours) of snort alert log messages with the community rules and the IPS/IDS set to maximum detection: How do you want me to capture the enriched data? a copy and paste of the raw discover - or is there a way to export it?
|
Beta Was this translation helpful? Give feedback.
-
Its pretty bare bones, some of the enrichment comes from geoip outside of snort logs. there is also a feature called App ID - that is supposed to list the application generating the traffic (the list is opensource and specific to pfsense i think). I'm not sure if it works correctly, but it generates logs like below (which trigger _grokparsefailures - but I've largely ignored them becasue frankly the feature appears broken)
|
Beta Was this translation helpful? Give feedback.
-
Alright - I've been running for two days without errors with the suricata enrichments file located here. I'll take a stab at snort but based on the limited data...I'm not overly optimistic I can enrich beyond their current state. Example of current Suricata log:
Not sure I'll post with the current pfelk files (minimize confusion) but rather store within another folder on the pfelk repo as an add-on - thouhgts? |
Beta Was this translation helpful? Give feedback.
-
Currently building out Snort/Suricata enhancement with the goal to populate the built-in SIEM and new dashboards with enriched data.
Suricata is posted here and I'm working on Snort. However, wanted to see if one there is an interest and two if someone would be willing to test, provided current Snort logs both original and parsed.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions