forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path6400-suricata.conf
86 lines (86 loc) · 2.82 KB
/
6400-suricata.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Author: Justin Henderson
# Email: [email protected]
# Last Update: 5/14/2016
#
# This conf file is based on accepting logs for suricata json events
filter {
if [type] == "suricata" {
date {
match => [ "timestamp", "ISO8601" ]
}
if [event_type] == "fileinfo" {
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
# I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
mutate {
rename => {
"src_ip" => "source_ip"
"dest_ip" => "destination_ip"
"src_port" => "source_port"
"dest_port" => "destination_port"
}
}
# This will translate the alert.severity field into a severity field of either High, Medium, or Low
if [event_type] == "alert" {
if [alert][severity] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [alert][severity] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [alert][severity] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert][signature] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category" ]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert][signature] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category" ]
}
}
# This section adds URLs to lookup information about a rule online
if [rule_type] == "Snort GPL" {
mutate {
add_field => [ "Signature_Info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
}
}
if [rule_type] == "Emerging Threats" {
mutate {
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
}
}
}
}
if [type] == "suricata" {
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message" ]
# }
}
}
}