Saturday, March 5, 2016

Suricata Analysis in Splunk

This Post assumes the existence of full suricata working setup and the configuration file "suricata.yaml" file is set to seperate http, xls, ssl, dns and alerts files.

if not already, use the reference links.

Configuring and setting up Suricata
https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-config-test.htm

Suricata configuration file:-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
https://github.com/inliniac/suricata/blob/master/suricata.yaml.in

Objective of this post is to use splunk to analyse the suricata output. Walk through of the Splunk SPL and XML

Starting in 2.0, Suricata can output alerts, http events, dns events, tls events and file info through json.
outputs:
  - alert-json-log:
      enabled: yes
      filename: alert-json.log
  - dns-json-log:
      enabled: yes
      filename: dns-json.log
  - drop-json-log:
      enabled: yes
      filename: drop-json.log
  - http-json-log:
      enabled: yes
      filename: http-json.log
  - ssh-json-log:
      enabled: yes
      filename: ssh-json.log
  - tls-json-log:
      enabled: yes
      filename: tls-json.log


In my setup, Splunk is monitoring a folder where suricata drops its output files with signature names as prefix and date as suffix.
Inputs.con in  Splunk.

Below are set of informative dashboard panels that could help understanding the Suricata alert and corresponding files.

In this use-cases, source is the variable that can be controlled by a input form. Full code will be updated in my Github page.

Timeline of Events

index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"  | timechart count by $split$ limit=10 useother=0 usenull=0

High Level detail of Suricatta Alerts

index="network" sourcetype="pcap_json" source="*$source$*" alert.signature!="\*suricata\*"   | stats values(alert.category) values(src_ip) values(dest_ip) count by alert.signature

Suricata IDS Alerts

 index="network" sourcetype="pcap_json" source="*$source$*" event_type=alert alert.signature!="\*suricata\*"  | iplocation src_ip | table timestamp pcap_cnt alert.signature alert.category src_ip City dest_ip dest_port

HTTP Traffic 


 index="network" sourcetype="pcap_json" source="*$source$*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip Country dest_ip dest_port http.http_content_type proto http.hostname http.url http.http_user_agent http.http_refer

DNS Traffic


index="network" sourcetype="pcap_json" source="*$source$*"  event_type=dns| iplocation dns.rdata  | table  timestamp src_ip dest_ip dest_port dns.rdata Country dns.rrname dns.rrtype dns.type

TLS Traffic 


index="network" sourcetype="pcap_json" source="*$source$*" event_type=tls| table timestamp pcap_cnt event_type src_ip dest_ip dest_port tls.issuerdn tls.subject

Files Downloaded


index="network" sourcetype="pcap_json" source="*$source$*" event_type=fileinfo | iplocation src_ip | table timestamp pcap_cnt event_type src_ip Country dest_ip dest_port  fileinfo.filename fileinfo.filesize http.hostname http.url http.http_refer http.http_user_agent | sort timestamp