[Oisf-users] Suricata Logs

Alan Wanderley dos Santos alan.santos at rnp.br
Tue Jul 28 12:54:28 UTC 2015 

Hi mr. Moe, 

Really, there are more things about. I forgot to say that works for our envorinment (not necessarily by being a CSIRT), because we have a system to parsers these emails and generated a lot of useful information (graphs, statitics and reports). 

Samishka and all , 

Well, as i said, in my environment , all incidentes are reported by email. These emails are sented to system that process and notify our clients automatically. The system adds all incidents colleted by us, or reported to us. 

But, this system is for all incidents, not just from suricata. So, i'm thinking in other way to collect data from the suricata instances. Maybe some stats from each suricata instance (each instance process your own data). For example: top events, how many matchs by rules, how many data processed (and more that i do not think yet). These information are sufficient for a general view. 

For http_log, we are working in other solution. To avoid the traffic of a lot of LOGs to a master server, we sent just a blacklist with the bad URLs (collected by us, or reported by APWG and others) to each suricata instance. So, there are a script that search for a match between our blacklist and de http_log. If matches, generates a alert. I'm not improve this feature, but, a think that is a solution for us. We don't worry about all http access from our clients, just the access to bad Urls (like phishing, malware and etc). 

Probably, for DNS log is possible do something like that. 

I hope these ideas are useful. 

Best Regards, 

----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 


De: "Andreas Moe" <moe.andreas at gmail.com> 
Para: "oisf-users" <oisf-users at lists.openinfosecfoundation.org> 
Enviadas: Segunda-feira, 27 de julho de 2015 17:54:13 
Assunto: Re: [Oisf-users] Suricata Logs 

With regards to Alan Santos reply. With 20 suricata instances, and the posibility of massive amounts of events (everything that suricata can produce) email is in now way, form or fashion a good choice. Saying that this works for you since you are CSIRT is not a valid argument. This since CSIRTs can be anything from a 5 man company having one guy who thinks he knows how security / suricata / siem / irt works, to a coorparation with 500+ thousand employees. 

2015-07-27 22:49 GMT+02:00 Andreas Moe < moe.andreas at gmail.com > : 



Well. 20 suricata engines (at different locations), will generate alot of logs. Sure, ELK (Elasticsearch, Logstash, Kibana) is free, and Splunk can index alot of stuff (as long as you pay). But i think that the problem here (seeing that you are talking about so many log locations) is now what technical solution to gather the logs. But think of all the coorelation, aggregation and data-enrichment that these solutions are providing... None? To futher demonstrate my point; How are you going to hande thousands and tens of thousands of events (http, dns, smtp, alerts) per second? What is relevant, what is not? 

TL;DR version: From one to a handfull of suricata instances with low bandwith you can manage this through a simple ELK/Splunk setup. After that, in my profesional oppinion something more has to be done. Ex: an MSSP or a SSP (kinda new, but Siem Solutions Provider). 

2015-07-27 22:39 GMT+02:00 Leonard Jacobs < ljacobs at netsecuris.com > : 

BQ_BEGIN



https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output 



https://github.com/pevma/Suricata-Logstash-Templates 



Or if you program and you want a customized application, you can write code to enter fast.log into a database then write a front end to the database to display the data. 




From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto: oisf-users-bounces at lists.openinfosecfoundation.org ] On Behalf Of Saxena, Samiksha 
Sent: Monday, July 27, 2015 12:54 PM 
To: oisf-users 
Subject: [Oisf-users] Suricata Logs 





Hi, 





I will have more than 20 Suricata engines, where each suricata engine will generate logs based on rules. I want to collect all the logs at one common place from each suricata engine. How should I achieve this? 


Also, what is the value of the logs files and how often the logs are generated? 








Thanks 

_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 





BQ_END



_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150728/48dcce83/attachment-0002.html>

More information about the Oisf-users mailing list