🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Suricata Integration Guide

integrations network suricata


This guide is intended to demonstrate how to configure logging from Suricata to Secureworks® Taegis™ XDR only, and not how to configure the sensor itself. Topics such as log rotation are not covered.

Prerequisites

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Suricata       D       D   D D, V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration for syslog-ng on Suricata Sensor

The following shows the syslog-ng.conf that will only handle collecting logs from Suricata and forwarding them to the Taegis™ XDR Collector.

@version:3.19

source s_suricata {
    file("/var/log/suricata/eve.json" # '/var/log/suricata/' is what is defined in your suricata.yaml's default-log-dir setting.
        flags(no-parse)
        );
        };

destination d_collector_tcp {
    tcp("192.168.1.45" port(601)); # 192.168.1.45 is the collector IP
    };

log {   source(s_suricata);
    destination(d_collector_tcp);
};

Configuration for Suricata Sensor

The following demonstrates how to configure logging from your sensor to XDR, and not how to configure the sensor itself.

  1. Edit your suricata.yaml file and add the following to the end of your configuration:

    include: scwx-suricata.yaml

  2. Place scwx-suricata.yaml in the same directory as suricata.yaml.

  3. Review the changes that scwx-suricata.yaml will overwrite, and adjust if needed.

    For example: Configuring xff to use the right header (your environment might use a different field than X-Forwarded-For) and type (reverse vs forward).

  4. Run suricata -T -c /path/of/suricata/yaml/suricata.yaml to validate that the configuration of suricata.yaml and scwx-suricata.yaml are OK.

Example:

root@0b8f0596b1ac:/# suricata -T -c /etc/suricata/suricata.yaml
[120] 28/2/2020 -- 21:13:35 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:255) <Info> (ConfYamlParse) -- Including configuration file scwx-suricata.yaml.
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined.
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined.
[120] 28/2/2020 -- 21:13:35 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in SYSTEM mode
[120] 28/2/2020 -- 21:13:35 - (counters.c:297) <Warning> (StatsInitCtxPostOutput) -- [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
[120] 28/2/2020 -- 21:13:42 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.

scwx-suricata.yaml

// scwx-suricata.yaml
%YAML 1.1
---
# SecureWorks Suricata  Configuration for 5.0.2 in eve format.

outputs:
    - eve-log:
        enabled: yes
        #XXX: SECUREWORKS: Prefix required.
        prefix: "SecureWorksSuricataConfiguration_v5.0.2 @cee: "
        json:
            escape-slash: no
            compact: yes
            perserve-order: yes
        community-id: true #XXX: SECUREWORKS: Enabled for context
        # Seed value for the ID output. Valid values are 0-65535.
        community-id-seed: 0

        xff:
            enabled: yes #XXX: SECUREWORKS: Enabled for context.
            mode: extra-data
            deployment: reverse #XXX: SECUREWORKS: Client can change if needed.
            header: X-Forwarded-For #XXX: SECUREWORKS: Client can change if needed.


        types:
            - alert:
                payload: yes #XXX: SECUREWORKS: Added context for Nids pcap.
                packet: yes #XXX: SECUREWORKS: Added context for Nids pcap.
            - anomaly:
                enabled: yes #XXX: SECUREWORKS: Keep defaults
                type:
                    #decode: no
                    #stream: no
                    #applayer: yes
                    #packethdr: no
            - http:
                extended: yes
            - dns:
                enabled: yes
                version: 2 # #XXX: SECUREWORKS: version 1 will be ignored.
            - tls:
                extended: yes
            - files: # XXX: SECUREWORKS: sparse data type.
                enabled: no
            - drop:
                alerts: yes
                flows: all
            - smtp:
                extended: yes
            - dhcp:
                enabled: yes
                extended: no

            - ftp
              #- rdp # XXX: SECUREWORKS: off by default
            - nfs
            - smb
            - tftp
            - ikev2
            - krb5
            - snmp
              #- sip # XXX: SECUREWORKS: off by default
            - ssh
            - flow

# Used for local testing
# rule-files:
#    - suricata.rules
#    - local.rules

 

On this page: