Suricata Integration Guide
This guide is intended to demonstrate how to configure logging from Suricata to Secureworks® Taegis™ XDR only, and not how to configure the sensor itself. Topics such as log rotation are not covered.
Prerequisites ⫘
- Suricata 5.0.x installed and running
- Syslog-ng installed and running
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Suricata | D | D | D | D, V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration for syslog-ng on Suricata Sensor ⫘
The following shows the syslog-ng.conf
that will only handle collecting logs from Suricata and forwarding them to the Taegis™ XDR Collector.
@version:3.19
source s_suricata {
file("/var/log/suricata/eve.json" # '/var/log/suricata/' is what is defined in your suricata.yaml's default-log-dir setting.
flags(no-parse)
);
};
destination d_collector_tcp {
tcp("192.168.1.45" port(601)); # 192.168.1.45 is the collector IP
};
log { source(s_suricata);
destination(d_collector_tcp);
};
Configuration for Suricata Sensor ⫘
The following demonstrates how to configure logging from your sensor to XDR, and not how to configure the sensor itself.
-
Edit your
suricata.yaml
file and add the following to the end of your configuration:include: scwx-suricata.yaml
-
Place
scwx-suricata.yaml
in the same directory assuricata.yaml
. -
Review the changes that
scwx-suricata.yaml
will overwrite, and adjust if needed.For example: Configuring xff to use the right header (your environment might use a different field than X-Forwarded-For) and type (reverse vs forward).
-
Run
suricata -T -c /path/of/suricata/yaml/suricata.yaml
to validate that the configuration ofsuricata.yaml
andscwx-suricata.yaml
are OK.
Example:
root@0b8f0596b1ac:/# suricata -T -c /etc/suricata/suricata.yaml
[120] 28/2/2020 -- 21:13:35 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:255) <Info> (ConfYamlParse) -- Including configuration file scwx-suricata.yaml.
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined.
[120] 28/2/2020 -- 21:13:35 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined.
[120] 28/2/2020 -- 21:13:35 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in SYSTEM mode
[120] 28/2/2020 -- 21:13:35 - (counters.c:297) <Warning> (StatsInitCtxPostOutput) -- [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
[120] 28/2/2020 -- 21:13:42 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.
scwx-suricata.yaml ⫘
// scwx-suricata.yaml
%YAML 1.1
---
# SecureWorks Suricata Configuration for 5.0.2 in eve format.
outputs:
- eve-log:
enabled: yes
#XXX: SECUREWORKS: Prefix required.
prefix: "SecureWorksSuricataConfiguration_v5.0.2 @cee: "
json:
escape-slash: no
compact: yes
perserve-order: yes
community-id: true #XXX: SECUREWORKS: Enabled for context
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0
xff:
enabled: yes #XXX: SECUREWORKS: Enabled for context.
mode: extra-data
deployment: reverse #XXX: SECUREWORKS: Client can change if needed.
header: X-Forwarded-For #XXX: SECUREWORKS: Client can change if needed.
types:
- alert:
payload: yes #XXX: SECUREWORKS: Added context for Nids pcap.
packet: yes #XXX: SECUREWORKS: Added context for Nids pcap.
- anomaly:
enabled: yes #XXX: SECUREWORKS: Keep defaults
type:
#decode: no
#stream: no
#applayer: yes
#packethdr: no
- http:
extended: yes
- dns:
enabled: yes
version: 2 # #XXX: SECUREWORKS: version 1 will be ignored.
- tls:
extended: yes
- files: # XXX: SECUREWORKS: sparse data type.
enabled: no
- drop:
alerts: yes
flows: all
- smtp:
extended: yes
- dhcp:
enabled: yes
extended: no
- ftp
#- rdp # XXX: SECUREWORKS: off by default
- nfs
- smb
- tftp
- ikev2
- krb5
- snmp
#- sip # XXX: SECUREWORKS: off by default
- ssh
- flow
# Used for local testing
# rule-files:
# - suricata.rules
# - local.rules