pfelk
Replies: 5 comments 6 replies
-
|
@revere521 - At your leisure would you mind providing some raw snort logs along with the enriched output? Looking to add some further enrichment to suricata/snort for utilization of the built-in SIEM. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Sorry @a3ilson, have been observing a low tech weekend.. here is a whole day (or at least several hours) of snort alert log messages with the community rules and the IPS/IDS set to maximum detection: How do you want me to capture the enriched data? a copy and paste of the raw discover - or is there a way to export it? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks! This works. I am able to enrich based on the provided logs. I'll take a more in-depth look tomorrow and see what can be enriched...was hoping these logs contained more specificity but either way I may revise to align with the built-in SIEM. |
Beta Was this translation helpful? Give feedback.
-
|
Its pretty bare bones, some of the enrichment comes from geoip outside of snort logs. there is also a feature called App ID - that is supposed to list the application generating the traffic (the list is opensource and specific to pfsense i think). I'm not sure if it works correctly, but it generates logs like below (which trigger _grokparsefailures - but I've largely ignored them becasue frankly the feature appears broken) |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Alright - I've been running for two days without errors with the suricata enrichments file located here. I'll take a stab at snort but based on the limited data...I'm not overly optimistic I can enrich beyond their current state. Example of current Suricata log: Not sure I'll post with the current pfelk files (minimize confusion) but rather store within another folder on the pfelk repo as an add-on - thouhgts? |
Beta Was this translation helpful? Give feedback.
5 replies
-
|
Its not a bad idea to be able to to look at the SEIM, while still allowing the choice to run the current dashboard. I can help evaluate when its ready and I have some time to play, but more importantly others can as well. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! It's currently amiable for utilization with the built-in SIEM.
I'll add a Wiki page, in the future, to outline the process for those desiring to utilize and/or incorporate. |
Beta Was this translation helpful? Give feedback.
-
|
@a3ilson I haven't forgotten about this, but I have some family stuff going on that's taking my time and attention. I will get back into the swing once that settles down some. |
Beta Was this translation helpful? Give feedback.
-
|
No worries and hope all is well. I'll likely update the snort grok pattern today to match and leverage the built-in SIEM. However, I'll update the grok pattern within the experimental folder until your able to test and update the dashboard...no hurries. |
Beta Was this translation helpful? Give feedback.
-
|
@revere521 - I made some changes with the snort grok filter which will break the current dashboard. I have not posted the revision yet and will await your availability for initial testing and dashboard update, prior to updating the main repo. Here is the updated grok pattern: Next, I added some additional enrichment and you'll need to utilize these files:
These changes will allow for the dashboard and/or SIEM |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently building out Snort/Suricata enhancement with the goal to populate the built-in SIEM and new dashboards with enriched data.
Suricata is posted here and I'm working on Snort. However, wanted to see if one there is an interest and two if someone would be willing to test, provided current Snort logs both original and parsed.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions