Skip to content

Suricata

Overview

Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs The multiple kinds of logs offered by suricata provide a good overview of the network activity
Network intrusion detection system The alert logs give information about events that matched a rule in the NIDS
Network protocol analysis The multiple kind of logs offered by suricata offer a good overview of the network activity
Web logs Suricata http.log provides many web information like the connected client, the requested resource or even the user agent
DNS records If enabled Suricata can log DNS queries and answers
SSL/TLS certificates If enabled Suricata may log information about the TLS certificates

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert, event
Category network
Type connection, info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": " {\"timestamp\":\"2024-01-07T19:54:41.712927+0000\",\"flow_id\":520221496542071,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"1.2.3.4\",\"src_port\":44244,\"dest_ip\":\"10.0.4.4\",\"dest_port\":2375,\"proto\":\"TCP\",\"metadata\":{\"flowints\":{\"http.anomaly.count\":1}},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221014,\"rev\":1,\"signature\":\"SURICATA HTTP missing Host header\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"url\":\"/version\",\"http_content_type\":\"application/json\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":404,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":265,\"bytes_toclient\":701,\"start\":\"2024-01-07T19:54:41.492407+0000\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "alert",
        "severity": 3,
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-07T19:54:41.712927Z",
    "action": {
        "name": "allowed",
        "properties": {
            "category": "Generic Protocol Command Decode",
            "signature": "SURICATA HTTP missing Host header",
            "signature_id": "2221014"
        },
        "type": "alert"
    },
    "destination": {
        "address": "10.0.4.4",
        "ip": "10.0.4.4",
        "port": 2375
    },
    "host": {
        "ip": "1.2.3.4"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "bytes": 0,
            "mime_type": "application/json",
            "status_code": 404
        },
        "version": "1.1"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.4.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "bytes": 265,
        "ip": "1.2.3.4",
        "port": 44244
    },
    "url": {
        "original": "/version",
        "path": "/version"
    }
}
{
    "message": " {\"timestamp\":\"2024-01-16T15:31:05.676280+0000\",\"flow_id\":2027746959634226,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"10.0.4.4\",\"src_port\":57584,\"dest_ip\":\"169.254.169.254\",\"dest_port\":80,\"proto\":\"TCP\",\"community_id\":\"1:aymnqZT++/Mb1TKCNw5wagfU4lo=\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":1,\"rev\":0,\"signature\":\"Agent\",\"category\":\"\",\"severity\":3},\"http\":{\"hostname\":\"169.254.169.254\",\"url\":\"/metadata/instance?api-version=2018-02-01\",\"http_user_agent\":\"WALinuxAgent/2.2.47+health\",\"http_content_type\":\"application/json\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":658},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":2,\"bytes_toserver\":455,\"bytes_toclient\":971,\"bypassed\":{\"pkts_toserver\":0,\"pkts_toclient\":0,\"bytes_toserver\":0,\"bytes_toclient\":0},\"start\":\"2024-01-16T15:31:05.667442+0000\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "alert",
        "severity": 3,
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-16T15:31:05.676280Z",
    "action": {
        "name": "allowed",
        "properties": {
            "signature": "Agent",
            "signature_id": "1"
        },
        "type": "alert"
    },
    "destination": {
        "address": "169.254.169.254",
        "ip": "169.254.169.254",
        "port": 80
    },
    "host": {
        "ip": "10.0.4.4"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "bytes": 658,
            "mime_type": "application/json",
            "status_code": 200
        },
        "version": "1.1"
    },
    "network": {
        "community_id": "1:aymnqZT++/Mb1TKCNw5wagfU4lo=",
        "protocol": "TCP"
    },
    "related": {
        "hosts": [
            "169.254.169.254"
        ],
        "ip": [
            "10.0.4.4",
            "169.254.169.254"
        ]
    },
    "source": {
        "address": "10.0.4.4",
        "bytes": 455,
        "ip": "10.0.4.4",
        "port": 57584
    },
    "url": {
        "domain": "169.254.169.254",
        "original": "/metadata/instance?api-version=2018-02-01",
        "path": "/metadata/instance",
        "query": "api-version=2018-02-01"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "WALinuxAgent/2.2.47+health",
        "os": {
            "name": "Linux"
        }
    }
}
{
    "message": "{\"timestamp\":\"2024-01-03T10:59:59.869444+0100\",\"flow_id\":1341218162162105,\"in_iface\":\"ens192\",\"event_type\":\"anomaly\",\"src_ip\":\"10.200.52.1\",\"src_port\":80,\"dest_ip\":\"10.200.61.2\",\"dest_port\":59730,\"proto\":\"TCP\",\"tx_id\":0,\"anomaly\":{\"app_proto\":\"http\",\"type\":\"applayer\",\"event\":\"REQUEST_AUTH_UNRECOGNIZED\",\"layer\":\"proto_parser\"}}",
    "event": {
        "action": "REQUEST_AUTH_UNRECOGNIZED",
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-03T09:59:59.869444Z",
    "action": {
        "type": "anomaly"
    },
    "destination": {
        "address": "10.200.61.2",
        "ip": "10.200.61.2",
        "port": 59730
    },
    "host": {
        "ip": "10.200.52.1"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "10.200.52.1",
            "10.200.61.2"
        ]
    },
    "source": {
        "address": "10.200.52.1",
        "ip": "10.200.52.1",
        "port": 80
    }
}
{
    "message": "{\"host\":\"probe\",\"system\":{\"memory\":{\"page_stats\":{\"pgsteal_direct\":{\"pages\":94402103},\"kswapd_efficiency\":{\"pct\":0.9952},\"direct_efficiency\":{\"pct\":0.9978},\"pgfree\":{\"pages\":44400483918},\"pgscan_kswapd\":{\"pages\":534123009},\"pgscan_direct\":{\"pages\":94613971},\"pgsteal_kswapd\":{\"pages\":531564648}},\"cached\":6572060672,\"used\":{\"pct\":0.3987,\"bytes\":13438373888},\"total\":33706483712,\"hugepages\":{\"used\":{\"pct\":0,\"bytes\":0},\"surplus\":0,\"total\":0,\"reserved\":0,\"swap\":{\"out\":{\"pages\":0,\"fallback\":55}},\"default_size\":2097152,\"free\":0},\"swap\":{\"readahead\":{\"cached\":7349,\"pages\":11798},\"used\":{\"pct\":0.0191,\"bytes\":306184192},\"out\":{\"pages\":869821},\"total\":15997071360,\"in\":{\"pages\":31105},\"free\":15690887168},\"free\":20268109824,\"actual\":{\"free\":26929573888,\"used\":{\"pct\":0.2011,\"bytes\":6776909824}}}},\"agent\":{\"version\":\"7.17.10\",\"type\":\"metricbeat\",\"name\":\"probe\",\"id\":\"8c2941ae-caf1-4b35-bead-caae1d21aa96\",\"hostname\":\"probe\",\"ephemeral_id\":\"09850e5a-6478-4e6e-92c3-cf10e3a3a89d\"},\"@version\":\"1\",\"type\":\"json-log\",\"tenant\":\"0\",\"metricset\":{\"period\":30000,\"name\":\"memory\"},\"tags\":[\"beats_input_raw_event\"],\"service\":{\"type\":\"system\"},\"@timestamp\":\"2023-12-08T15:06:47.131Z\",\"logger\":\"logstash-manager\",\"event\":{\"dataset\":\"system.memory\",\"module\":\"system\",\"duration\":2640456}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "action": {
        "type": "beats_input_raw_event"
    },
    "host": {
        "name": "probe"
    }
}
{
    "message": "{\"timestamp\":\"2019-12-17T14:09:39.935301+0000\",\"flow_id\":1335601175718181,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.2\",\"src_port\":53,\"dest_ip\":\"172.31.0.204\",\"dest_port\":46414,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":38236,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"AAAA\",\"rcode\":\"NOERROR\",\"authorities\":[{\"rrname\":\"sekoia.io\",\"rrtype\":\"SOA\",\"ttl\":60}]}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2019-12-17T14:09:39.935301Z",
    "action": {
        "type": "dns"
    },
    "destination": {
        "address": "172.31.0.204",
        "ip": "172.31.0.204",
        "port": 46414
    },
    "dns": {
        "answers": [
            {
                "name": "rp1.sekoia.io",
                "type": "AAAA"
            }
        ],
        "id": "38236",
        "response_code": "NOERROR",
        "size_in_char": 13,
        "type": "answer"
    },
    "host": {
        "ip": "172.31.0.2"
    },
    "network": {
        "protocol": "UDP"
    },
    "related": {
        "ip": [
            "172.31.0.2",
            "172.31.0.204"
        ]
    },
    "source": {
        "address": "172.31.0.2",
        "ip": "172.31.0.2",
        "port": 53
    }
}
{
    "message": "{\"src_ip\":\"10.107.208.11\",\"flow_id\":1531972173335705,\"in_iface\":\"eth0\",\"proto\":\"UDP\",\"hostname_info\":{\"tld\":\"cc\",\"subdomain\":\"org.repo.release.build\",\"url\":\"org.repo.release.build.test.com\",\"domain\":\"test.com\",\"host\":\"org.repo.release.build.test.com\",\"domain_without_tld\":\"one\"},\"alerted\":true,\"input\":{\"type\":\"log\"},\"logger\":\"logstash-manager\",\"type\":\"json-log\",\"dns\":{\"grouped\":{\"A\":[\"1.2.3.62\",\"1.2.3.92\",\"1.2.3.3\",\"1.2.3.57\"]},\"rrtype\":\"A\",\"flags\":\"8180\",\"rrname\":\"org.repo.release.build.test.com\",\"type\":\"answer\",\"ra\":true,\"rcode\":\"NOERROR\",\"id\":62415,\"version\":2,\"rd\":true,\"qr\":true},\"see_id\":\"00505689aa0a\",\"@version\":\"1\",\"ether\":{\"src_mac\":\"00:50:56:89:fb:d6\",\"dest_mac\":\"00:50:56:89:f3:ed\"},\"app_proto\":\"dns\",\"dest_port\":53,\"target\":{\"dest\":{\"sequence_total\":2.0,\"fqdn\":\"dc.corp.com\",\"id\":\"dc\",\"hardware_cpu\":8.0,\"egress_networks\":[\"dc_int\"],\"name\":\"DC\",\"visibility\":\"public\",\"vm_name\":\"xs23_dc.corp.com\",\"description\":\"DC Primary Domain Controller\",\"addr\":\"10.107.201.100\",\"hardware_ram\":8.0,\"capabilities\":[],\"id_full\":\"dc-dc_01_t02\",\"services\":[],\"spec_name\":\"dc-dc\",\"hardware_primary_disk_size\":60.0,\"sequence_tag\":\"dc\",\"owner\":\"Allar Viik\",\"tags\":[\"int\",\"os_windows\",\"os_windows_server\",\"os_windows_server_2022\",\"bt\",\"team_blue\",\"dc\",\"custom_bt_domain_controller\",\"dc\"],\"role\":\"dc\",\"connection_network\":\"dc_int\",\"id\":\"dc-dc\",\"customization_context\":\"host\"},\"src\":{\"sequence_total\":null,\"fqdn\":\"first.dc.02.corp.com\",\"id\":\"dc\",\"hardware_cpu\":2.0,\"egress_networks\":[\"dc_5g_core\"],\"name\":\"DC\",\"visibility\":\"public\",\"vm_name\":\"dc-vm.corp.com\",\"description\":null,\"addr\":\"10.107.208.11\",\"hardware_ram\":4.0,\"capabilities\":[],\"id_full\":\"first_t02\",\"services\":[],\"spec_name\":\"first\",\"hardware_primary_disk_size\":25.0,\"sequence_tag\":null,\"owner\":\"Julian Sturm\",\"tags\":[\"5g_core\",\"os_linux\",\"os_ubuntu\",\"os_ubuntu_22_04\",\"bt\",\"team_blue\",\"dc\",\"fiveg_db\"],\"role\":\"first\",\"connection_network\":\"dc_5g_core\",\"id\":\"first\",\"customization_context\":\"host\"}},\"@timestamp\":\"2023-12-07T10:51:01.819Z\",\"event_type\":\"dns\",\"timestamp\":\"2023-12-07T10:51:01.819001+0000\",\"agent\":{\"type\":\"filebeat\",\"hostname\":\"probe\",\"id\":\"9f305fa4-6db1-485c-81f9-598dce1469e3\",\"version\":\"7.17.10\",\"name\":\"probe\",\"ephemeral_id\":\"b1db2027-720f-41e4-9798-dc8a0ea21017\"},\"tags\":[\"beats_input_codec_json_applied\"],\"log\":{\"offset\":146571591,\"file\":{\"path\":\"/var/log/suricata/eve-1.json\"}},\"tenant\":2,\"src_port\":38141,\"host\":\"probe\",\"see_name\":\"server\",\"net_info\":{\"src_agg\":\"dc\",\"src\":[\"dc\",\"bt\"],\"dest_agg\":\"dc.bt\",\"dest\":[\"dc\",\"bt\"]},\"dest_ip\":\"10.107.201.100\"}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2023-12-07T10:51:01.819001Z",
    "action": {
        "type": "dns"
    },
    "destination": {
        "address": "10.107.201.100",
        "ip": "10.107.201.100",
        "port": 53
    },
    "dns": {
        "answers": [
            {
                "name": "1.2.3.62",
                "type": "A"
            },
            {
                "name": "1.2.3.92",
                "type": "A"
            },
            {
                "name": "1.2.3.3",
                "type": "A"
            },
            {
                "name": "1.2.3.57",
                "type": "A"
            }
        ],
        "id": "62415",
        "question": {
            "name": "org.repo.release.build.test.com",
            "registered_domain": "test.com",
            "subdomain": "org.repo.release.build",
            "top_level_domain": "com",
            "type": "A"
        },
        "response_code": "NOERROR",
        "size_in_char": 31,
        "type": "answer"
    },
    "host": {
        "ip": "10.107.208.11"
    },
    "network": {
        "protocol": "UDP"
    },
    "related": {
        "hosts": [
            "org.repo.release.build.test.com"
        ],
        "ip": [
            "10.107.201.100",
            "10.107.208.11"
        ]
    },
    "source": {
        "address": "10.107.208.11",
        "ip": "10.107.208.11",
        "port": 38141
    }
}
{
    "message": "{\"timestamp\":\"2019-12-17T14:09:39.935301+0000\",\"flow_id\":1335601175718181,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.2\",\"src_port\":53,\"dest_ip\":\"172.31.0.204\",\"dest_port\":46414,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":38236,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"answers\":[{\"rrname\":\"sekoia.io\",\"rrtype\":\"SOA\",\"ttl\":60},{\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"A\",\"ttl\":10,\"rdata\":\"192.1.10.34\"}]}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2019-12-17T14:09:39.935301Z",
    "action": {
        "type": "dns"
    },
    "destination": {
        "address": "172.31.0.204",
        "ip": "172.31.0.204",
        "port": 46414
    },
    "dns": {
        "answers": [
            {
                "name": "sekoia.io",
                "type": "SOA"
            },
            {
                "name": "rp1.sekoia.io",
                "type": "A"
            }
        ],
        "id": "38236",
        "response_code": "NOERROR",
        "type": "answer"
    },
    "host": {
        "ip": "172.31.0.2"
    },
    "network": {
        "protocol": "UDP"
    },
    "related": {
        "ip": [
            "172.31.0.2",
            "172.31.0.204"
        ]
    },
    "source": {
        "address": "172.31.0.2",
        "ip": "172.31.0.2",
        "port": 53
    }
}
{
    "message": "{\"timestamp\":\"2019-12-17T14:10:39.885554+0000\",\"flow_id\":2012569629852466,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.204\",\"src_port\":58107,\"dest_ip\":\"172.31.0.2\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":42259,\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"A\",\"tx_id\":0}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2019-12-17T14:10:39.885554Z",
    "action": {
        "type": "dns"
    },
    "destination": {
        "address": "172.31.0.2",
        "ip": "172.31.0.2",
        "port": 53
    },
    "dns": {
        "id": "42259",
        "question": {
            "name": "rp1.sekoia.io",
            "registered_domain": "sekoia.io",
            "subdomain": "rp1",
            "top_level_domain": "io",
            "type": "A"
        },
        "size_in_char": 13,
        "type": "query"
    },
    "host": {
        "ip": "172.31.0.204"
    },
    "network": {
        "protocol": "UDP"
    },
    "related": {
        "hosts": [
            "rp1.sekoia.io"
        ],
        "ip": [
            "172.31.0.2",
            "172.31.0.204"
        ]
    },
    "source": {
        "address": "172.31.0.204",
        "ip": "172.31.0.204",
        "port": 58107
    }
}
{
    "message": " {\"timestamp\":\"2024-01-09T15:12:24.540473+0000\",\"flow_id\":1820734905123445,\"in_iface\":\"eth0\",\"event_type\":\"flow\",\"src_ip\":\"10.0.4.4\",\"src_port\":49250,\"dest_ip\":\"1.2.3.4\",\"dest_port\":443,\"proto\":\"TCP\",\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":12,\"bytes_toserver\":1842,\"bytes_toclient\":11086,\"start\":\"2024-01-09T15:07:44.721525+0000\",\"end\":\"2024-01-09T15:07:44.740950+0000\",\"age\":0,\"state\":\"closed\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1b\",\"tcp_flags_ts\":\"1b\",\"tcp_flags_tc\":\"1b\",\"syn\":true,\"fin\":true,\"psh\":true,\"ack\":true,\"state\":\"closed\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-09T15:12:24.540473Z",
    "action": {
        "type": "flow"
    },
    "destination": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 443
    },
    "host": {
        "ip": "10.0.4.4"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.4.4"
        ]
    },
    "source": {
        "address": "10.0.4.4",
        "bytes": 1842,
        "ip": "10.0.4.4",
        "port": 49250
    }
}
{
    "message": " {\"timestamp\":\"2024-01-08T15:01:19.875607+0000\",\"flow_id\":320394061813648,\"in_iface\":\"eth0\",\"event_type\":\"ftp\",\"src_ip\":\"1.2.3.4\",\"src_port\":58265,\"dest_ip\":\"10.0.4.4\",\"dest_port\":22,\"proto\":\"TCP\",\"tx_id\":0,\"ftp\":{\"command\":\"USER\",\"command_data\":\"anonymous\",\"reply\":[\"SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3\"],\"reply_received\":\"yes\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-08T15:01:19.875607Z",
    "action": {
        "type": "ftp"
    },
    "destination": {
        "address": "10.0.4.4",
        "ip": "10.0.4.4",
        "port": 22
    },
    "host": {
        "ip": "1.2.3.4"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.4.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 58265
    }
}
{
    "message": "{\"timestamp\":\"2020-01-27T21:11:18.578947+0000\",\"flow_id\":792581754900635,\"pcap_cnt\":3444,\"event_type\":\"alert\",\"src_ip\":\"10.20.30.101\",\"src_port\":49778,\"dest_ip\":\"203.176.135.102\",\"dest_port\":8082,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.BotccIP\"]},\"http\":{\"hostname\":\"203.176.135.102\",\"http_port\":8082,\"url\":\"/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90\",\"http_user_agent\":\"KSKJJGJ\",\"http_content_type\":\"text/plain\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":3},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":7,\"bytes_toserver\":5427,\"bytes_toclient\":502,\"start\":\"2020-01-27T21:11:16.708763+0000\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100494,\"rev\":12,\"signature\":\"GPL ATTACK_RESPONSE command completed\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"updated_at\":[\"2010_09_23\"],\"created_at\":[\"2010_09_23\"]}}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "alert",
        "severity": 2,
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2020-01-27T21:11:18.578947Z",
    "action": {
        "name": "allowed",
        "properties": {
            "category": "Potentially Bad Traffic",
            "signature": "GPL ATTACK_RESPONSE command completed",
            "signature_id": "2100494"
        },
        "type": "alert"
    },
    "destination": {
        "address": "203.176.135.102",
        "ip": "203.176.135.102",
        "port": 8082
    },
    "host": {
        "ip": "10.20.30.101"
    },
    "http": {
        "request": {
            "method": "POST"
        },
        "response": {
            "bytes": 3,
            "mime_type": "text/plain",
            "status_code": 200
        },
        "version": "1.1"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "hosts": [
            "203.176.135.102"
        ],
        "ip": [
            "10.20.30.101",
            "203.176.135.102"
        ]
    },
    "source": {
        "address": "10.20.30.101",
        "bytes": 5427,
        "ip": "10.20.30.101",
        "port": 49778
    },
    "url": {
        "domain": "203.176.135.102",
        "original": "/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90",
        "path": "/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "KSKJJGJ",
        "os": {
            "name": "Other"
        }
    }
}
{
    "message": " {\"timestamp\":\"2024-01-07T20:05:01.422020+0000\",\"flow_id\":293887458056333,\"in_iface\":\"eth0\",\"event_type\":\"smb\",\"src_ip\":\"1.2.3.4\",\"src_port\":49492,\"dest_ip\":\"10.0.4.4\",\"dest_port\":2375,\"proto\":\"TCP\",\"smb\":{\"id\":1,\"dialect\":\"unknown\",\"command\":\"SMB1_COMMAND_NEGOTIATE_PROTOCOL\",\"session_id\":0,\"tree_id\":0,\"client_dialects\":[\"PC NETWORK PROGRAM 1.0\",\"MICROSOFT NETWORKS 1.03\",\"MICROSOFT NETWORKS 3.0\",\"LANMAN1.0\",\"LM1.2X002\",\"Samba\",\"NT LANMAN 1.0\",\"NT LM 0.12\"],\"server_guid\":\"\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-07T20:05:01.422020Z",
    "action": {
        "type": "smb"
    },
    "destination": {
        "address": "10.0.4.4",
        "ip": "10.0.4.4",
        "port": 2375
    },
    "host": {
        "ip": "1.2.3.4"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.4.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 49492
    }
}
{
    "message": " {\"timestamp\":\"2024-01-09T15:11:44.835699+0000\",\"flow_id\":694519333924807,\"in_iface\":\"eth0\",\"event_type\":\"ssh\",\"src_ip\":\"1.2.3.4\",\"src_port\":35730,\"dest_ip\":\"10.0.4.4\",\"dest_port\":22,\"proto\":\"TCP\",\"tx_id\":0,\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.9.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_8.4p1\"}}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2024-01-09T15:11:44.835699Z",
    "action": {
        "type": "ssh"
    },
    "destination": {
        "address": "10.0.4.4",
        "ip": "10.0.4.4",
        "port": 22
    },
    "host": {
        "ip": "1.2.3.4"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.4.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 35730
    }
}
{
    "message": " {\"timestamp\": \"2024-01-09T15:13:00.667785+0000\", \"event_type\": \"stats\", \"stats\": {\"uptime\": 450501, \"capture\": {\"kernel_packets\": 7349877, \"kernel_drops\": 2158, \"errors\": 0}, \"decoder\": {\"pkts\": 7347719, \"bytes\": 4645180192, \"invalid\": 0, \"ipv4\": 7343837, \"ipv6\": 3882, \"ethernet\": 7347719, \"chdlc\": 0, \"raw\": 0, \"null\": 0, \"sll\": 0, \"tcp\": 7343737, \"udp\": 3859, \"sctp\": 0, \"icmpv4\": 0, \"icmpv6\": 123, \"ppp\": 0, \"pppoe\": 0, \"geneve\": 0, \"gre\": 0, \"vlan\": 0, \"vlan_qinq\": 0, \"vxlan\": 0, \"ieee8021ah\": 0, \"teredo\": 0, \"ipv4_in_ipv6\": 0, \"ipv6_in_ipv6\": 0, \"mpls\": 0, \"avg_pkt_size\": 632, \"max_pkt_size\": 1514, \"max_mac_addrs_src\": 0, \"max_mac_addrs_dst\": 0, \"erspan\": 0, \"event\": {\"ipv4\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"iplen_smaller_than_hlen\": 0, \"trunc_pkt\": 0, \"opt_invalid\": 0, \"opt_invalid_len\": 0, \"opt_malformed\": 0, \"opt_pad_required\": 0, \"opt_eol_required\": 0, \"opt_duplicate\": 0, \"opt_unknown\": 0, \"wrong_ip_version\": 0, \"icmpv6\": 0, \"frag_pkt_too_large\": 0, \"frag_overlap\": 0, \"frag_ignored\": 0}, \"icmpv4\": {\"pkt_too_small\": 0, \"unknown_type\": 0, \"unknown_code\": 0, \"ipv4_trunc_pkt\": 0, \"ipv4_unknown_ver\": 0}, \"icmpv6\": {\"unknown_type\": 0, \"unknown_code\": 0, \"pkt_too_small\": 0, \"ipv6_unknown_version\": 0, \"ipv6_trunc_pkt\": 0, \"mld_message_with_invalid_hl\": 0, \"unassigned_type\": 0, \"experimentation_type\": 0}, \"ipv6\": {\"pkt_too_small\": 0, \"trunc_pkt\": 0, \"trunc_exthdr\": 0, \"exthdr_dupl_fh\": 0, \"exthdr_useless_fh\": 0, \"exthdr_dupl_rh\": 0, \"exthdr_dupl_hh\": 0, \"exthdr_dupl_dh\": 0, \"exthdr_dupl_ah\": 0, \"exthdr_dupl_eh\": 0, \"exthdr_invalid_optlen\": 0, \"wrong_ip_version\": 0, \"exthdr_ah_res_not_null\": 0, \"hopopts_unknown_opt\": 0, \"hopopts_only_padding\": 0, \"dstopts_unknown_opt\": 0, \"dstopts_only_padding\": 0, \"rh_type_0\": 0, \"zero_len_padn\": 0, \"fh_non_zero_reserved_field\": 0, \"data_after_none_header\": 0, \"unknown_next_header\": 0, \"icmpv4\": 0, \"frag_pkt_too_large\": 0, \"frag_overlap\": 0, \"frag_ignored\": 0, \"ipv4_in_ipv6_too_small\": 0, \"ipv4_in_ipv6_wrong_version\": 0, \"ipv6_in_ipv6_too_small\": 0, \"ipv6_in_ipv6_wrong_version\": 0}, \"tcp\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"invalid_optlen\": 0, \"opt_invalid_len\": 0, \"opt_duplicate\": 0}, \"udp\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"hlen_invalid\": 0}, \"sll\": {\"pkt_too_small\": 0}, \"ethernet\": {\"pkt_too_small\": 0}, \"ppp\": {\"pkt_too_small\": 0, \"vju_pkt_too_small\": 0, \"ip4_pkt_too_small\": 0, \"ip6_pkt_too_small\": 0, \"wrong_type\": 0, \"unsup_proto\": 0}, \"pppoe\": {\"pkt_too_small\": 0, \"wrong_code\": 0, \"malformed_tags\": 0}, \"gre\": {\"pkt_too_small\": 0, \"wrong_version\": 0, \"version0_recur\": 0, \"version0_flags\": 0, \"version0_hdr_too_big\": 0, \"version0_malformed_sre_hdr\": 0, \"version1_chksum\": 0, \"version1_route\": 0, \"version1_ssr\": 0, \"version1_recur\": 0, \"version1_flags\": 0, \"version1_no_key\": 0, \"version1_wrong_protocol\": 0, \"version1_malformed_sre_hdr\": 0, \"version1_hdr_too_big\": 0}, \"vlan\": {\"header_too_small\": 0, \"unknown_type\": 0, \"too_many_layers\": 0}, \"ieee8021ah\": {\"header_too_small\": 0}, \"ipraw\": {\"invalid_ip_version\": 0}, \"ltnull\": {\"pkt_too_small\": 0, \"unsupported_type\": 0}, \"sctp\": {\"pkt_too_small\": 0}, \"mpls\": {\"header_too_small\": 0, \"pkt_too_small\": 0, \"bad_label_router_alert\": 0, \"bad_label_implicit_null\": 0, \"bad_label_reserved\": 0, \"unknown_payload_type\": 0}, \"vxlan\": {\"unknown_payload_type\": 0}, \"geneve\": {\"unknown_payload_type\": 0}, \"erspan\": {\"header_too_small\": 0, \"unsupported_version\": 0, \"too_many_vlan_layers\": 0}, \"dce\": {\"pkt_too_small\": 0}}}, \"flow\": {\"memcap\": 0, \"tcp\": 181930, \"udp\": 3809, \"icmpv4\": 0, \"icmpv6\": 123, \"tcp_reuse\": 212, \"get_used\": 0, \"get_used_eval\": 0, \"get_used_eval_reject\": 0, \"get_used_eval_busy\": 0, \"get_used_failed\": 0, \"wrk\": {\"spare_sync_avg\": 100, \"spare_sync\": 181, \"spare_sync_incomplete\": 0, \"spare_sync_empty\": 0, \"flows_evicted_needs_work\": 165396, \"flows_evicted_pkt_inject\": 182621, \"flows_evicted\": 2891, \"flows_injected\": 164908}, \"mgr\": {\"full_hash_pass\": 1878, \"closed_pruned\": 0, \"new_pruned\": 0, \"est_pruned\": 0, \"bypassed_pruned\": 0, \"rows_maxlen\": 2, \"flows_checked\": 233704, \"flows_notimeout\": 50882, \"flows_timeout\": 182822, \"flows_timeout_inuse\": 0, \"flows_evicted\": 182893, \"flows_evicted_needs_work\": 164908}, \"spare\": 9885, \"emerg_mode_entered\": 0, \"emerg_mode_over\": 0, \"memuse\": 7474304}, \"defrag\": {\"ipv4\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"ipv6\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"max_frag_hits\": 0}, \"flow_bypassed\": {\"local_pkts\": 14998, \"local_bytes\": 989868, \"local_capture_pkts\": 0, \"local_capture_bytes\": 0, \"closed\": 0, \"pkts\": 0, \"bytes\": 0}, \"tcp\": {\"sessions\": 174905, \"ssn_memcap_drop\": 0, \"pseudo\": 0, \"pseudo_failed\": 0, \"invalid_checksum\": 1111, \"no_flow\": 0, \"syn\": 175192, \"synack\": 183305, \"rst\": 10555, \"midstream_pickups\": 0, \"pkt_on_wrong_thread\": 0, \"segment_memcap_drop\": 0, \"stream_depth_reached\": 83, \"reassembly_gap\": 6, \"overlap\": 2270, \"overlap_diff_data\": 0, \"insert_data_normal_fail\": 0, \"insert_data_overlap_fail\": 0, \"insert_list_fail\": 0, \"memuse\": 1146920, \"reassembly_memuse\": 731180}, \"detect\": {\"engines\": [{\"id\": 0, \"last_reload\": \"2024-01-04T10:04:39.457663+0000\", \"rules_loaded\": 57, \"rules_failed\": 2}], \"alert\": 7500}, \"app_layer\": {\"flow\": {\"http\": 8109, \"ftp\": 1, \"smtp\": 0, \"tls\": 148529, \"ssh\": 16650, \"imap\": 0, \"smb\": 0, \"dcerpc_tcp\": 0, \"dns_tcp\": 0, \"nfs_tcp\": 0, \"ntp\": 0, \"ftp-data\": 0, \"tftp\": 0, \"ikev2\": 0, \"krb5_tcp\": 0, \"dhcp\": 0, \"snmp\": 0, \"sip\": 0, \"rfb\": 0, \"mqtt\": 0, \"rdp\": 0, \"failed_tcp\": 16, \"dcerpc_udp\": 0, \"dns_udp\": 50, \"nfs_udp\": 0, \"krb5_udp\": 0, \"failed_udp\": 3759}, \"tx\": {\"http\": 8145, \"ftp\": 1, \"smtp\": 0, \"tls\": 0, \"ssh\": 0, \"imap\": 0, \"smb\": 1, \"dcerpc_tcp\": 0, \"dns_tcp\": 0, \"nfs_tcp\": 0, \"ntp\": 0, \"ftp-data\": 0, \"tftp\": 0, \"ikev2\": 0, \"krb5_tcp\": 0, \"dhcp\": 0, \"snmp\": 0, \"sip\": 0, \"rfb\": 0, \"mqtt\": 0, \"rdp\": 0, \"dcerpc_udp\": 0, \"dns_udp\": 100, \"nfs_udp\": 0, \"krb5_udp\": 0}, \"expectations\": 0}, \"http\": {\"memuse\": 160825, \"memcap\": 0}, \"ftp\": {\"memuse\": 0, \"memcap\": 0}}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-09T15:13:00.667785Z",
    "action": {
        "type": "stats"
    }
}
{
    "message": "{\"timestamp\":\"2020-01-27T21:27:10.693784+0000\",\"flow_id\":1303642123387833,\"pcap_cnt\":4623,\"src_ip\":\"190.214.13.2\",\"src_port\":449,\"dest_ip\":\"10.20.30.101\",\"dest_port\":49791,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.BotccIP\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2011540,\"rev\":6,\"signature\":\"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\",\"category\":\"Not Suspicious Traffic\",\"severity\":3,\"metadata\":{\"updated_at\":[\"2017_11_27\"],\"created_at\":[\"2010_09_27\"],\"former_category\":[\"POLICY\"]}},\"tls\":{\"subject\":\"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd\",\"issuerdn\":\"C=AU, ST=Some-State, O=InternetWidgitsPtyLtd\",\"serial\":\"00:A8:B9:FF:C1:BD:D5:7E:02\",\"fingerprint\":\"0b:92:69:6e:6e:9e:54:22:8b:fa:61:d3:be:be:5b:0e:d6:b6:1c:80\",\"version\":\"TLSv1\",\"notbefore\":\"2019-12-12T13:14:43\",\"notafter\":\"2020-12-11T13:14:43\",\"ja3\":{}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":675,\"bytes_toclient\":1500,\"start\":\"2020-01-27T21:27:09.705465+0000\"}}",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "severity": 3,
        "type": [
            "connection"
        ]
    },
    "@timestamp": "2020-01-27T21:27:10.693784Z",
    "action": {
        "name": "allowed",
        "properties": {
            "category": "Not Suspicious Traffic",
            "signature": "ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)",
            "signature_id": "2011540"
        }
    },
    "destination": {
        "address": "10.20.30.101",
        "ip": "10.20.30.101",
        "port": 49791
    },
    "host": {
        "ip": "190.214.13.2"
    },
    "network": {
        "protocol": "TCP"
    },
    "related": {
        "ip": [
            "10.20.30.101",
            "190.214.13.2"
        ]
    },
    "source": {
        "address": "190.214.13.2",
        "bytes": 675,
        "ip": "190.214.13.2",
        "port": 449
    },
    "tls": {
        "client": {
            "issuer": "C=AU, ST=Some-State, O=InternetWidgitsPtyLtd",
            "ja3": "{}",
            "not_after": "2020-12-11T13:14:43Z",
            "not_before": "2019-12-12T13:14:43Z",
            "subject": "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
        },
        "version": "TLSv1"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
action.name keyword
action.properties.category keyword
action.properties.severity keyword
action.properties.signature keyword
action.properties.signature_id keyword
action.type keyword
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
dns.answers object Array of DNS answers.
dns.id keyword The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
dns.response_code keyword The DNS response code.
dns.size_in_char number
dns.type keyword The type of DNS event captured, query or answer.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.severity long Numeric severity of the event.
event.type keyword Event type. The third categorization field in the hierarchy.
host.ip ip Host ip addresses.
host.name keyword Name of the host.
http.request.method keyword HTTP request method.
http.request.referrer keyword Referrer for this HTTP request.
http.response.bytes long Total size in bytes of the response (body and headers).
http.response.mime_type keyword Mime type of the body of the response.
http.response.status_code long HTTP response status code.
http.version keyword HTTP version.
network.community_id keyword A hash of source and destination IPs and ports.
network.protocol keyword Application protocol name.
source.bytes long Bytes sent from the source to the destination.
source.ip ip IP address of the source.
source.port long Port of the source.
tls.client.issuer keyword Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
tls.client.ja3 keyword A hash that identifies clients based on how they perform an SSL/TLS handshake.
tls.client.not_after date Date/Time indicating when client certificate is no longer considered valid.
tls.client.not_before date Date/Time indicating when client certificate is first considered valid.
tls.client.server_name keyword Hostname the client is trying to connect to. Also called the SNI.
tls.client.subject keyword Distinguished name of subject of the x.509 certificate presented by the client.
tls.version keyword Numeric part of the version parsed from the original string.
url.domain keyword Domain of the url.
url.original wildcard Unmodified original url as seen in the event source.
user_agent.original keyword Unparsed user_agent string.

Configure

Suricata leverages its EVE output module to report alerts, metadata, file info and protocol records in JSON. As described in the official documentation, this module can report its findings through the syslog facility.

Configure Suricata to forward events to rsyslog

Open the Suricata configuration file (please note that the path to the configuration file may change depending on the OS and your configuration):

sudo vim /etc/suricata/suricata.yaml

Paste the following declaration in your suricata configuration to trigger the production of syslog entries under the local5 facility:

outputs:
  - eve-log:
      enabled: yes
      type:syslog
      identity: suricata
      facility: local5
      level: Info
      types:
        - alert
        - http
        - dns
        - tls

Configure the Rsyslog server

Given this Suricata configuration, your local rsyslog server will handle produced records. Please consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.

Further Readings