-
Notifications
You must be signed in to change notification settings - Fork 102
/
Copy path70_dsiem-plugin_suricata.conf
111 lines (97 loc) · 3.85 KB
/
70_dsiem-plugin_suricata.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
###############################################################################
# Dsiem suricata Plugin
# Type: SID
#
# Auto-generated by dpluger on 2019-11-08T13:19:32+07:00
###############################################################################
filter {
# 1st step: identify the source log and clone it to another event with type => siem_events
if [application] == "suricata" and [alert] {
clone {
clones => [ "siem_events" ]
}
# 2nd step: remove the source log identifier from the clone, so that the clone will not
# go through the same pipeline as the source log. Also remove the temporary type field,
# replacing it with metadata field that will be read by the rest of siem pipeline.
if [type] == "siem_events" {
mutate {
id => "tag normalizedEvent 1001"
remove_field => [ "[application]" , "type" ]
add_field => {
"[@metadata][siem_plugin_type]" => "suricata"
"[@metadata][siem_data_type]" => "normalizedEvent"
}
}
}
}
}
# 3rd step: the actual event normalization so that it matches the format that dsiem expect.
#
# Required fields:
# timestamp (date), title (string), sensor (string), product (string), dst_ip (string), src_ip (string)
#
# For PluginRule type plugin, the following are also required:
# plugin_id (integer), plugin_sid (integer)
#
# For TaxonomyRule type plugin, the following is also required:
# category (string)
#
# Optional fields:
# These fields are optional but should be included whenever possible since they can be used in directive rules:
# dst_port (integer), src_port (integer), protocol (string), subcategory (string)
#
# These fields are also optional and can be used in directive rules. They should be used for custom data that
# are not defined in standard SIEM fields.
# custom_label1 (string), custom_data1 (string), custom_label2 (string), custom_data2 (string)
# custom_label3 (string), custom_data3 (string)
#
# And this field is optional, and should be included if the original logs are also stored in elasticsearch.
# This will allow direct pivoting from alarm view in the web UI to the source index.
# src_index_pattern (string)
#
# As for other fields from source log, they will be removed by logstash plugin prune below
filter {
if [@metadata][siem_plugin_type] == "suricata" {
date {
id => "timestamp 1001"
match => [ "[timestamp]", "ISO8601" ]
target => [timestamp]
}
mutate {
id => "siem_event fields 1001"
replace => {
"title" => "%{[alert][signature]}"
"src_index_pattern" => "suricata-*"
"sensor" => "%{[host][name]}"
"product" => "Network Intrusion Detection System"
"src_ip" => "%{[src_ip]}"
"dst_ip" => "%{[dest_ip]}"
"protocol" => "%{[proto]}"
"category" => "%{[alert][category]}"
"plugin_id" => "1001"
"plugin_sid" => "%{[alert][signature_id]}"
"src_port" => "%{[src_port]}"
"dst_port" => "%{[dest_port]}"
"custom_label1" => "payload"
"custom_data1" => "%{[payload_printable]}"
}
}
mutate {
id => "integer fields 1001"
convert => {
"plugin_id" => "integer"
"plugin_sid" => "integer"
"src_port" => "integer"
"dst_port" => "integer"
}
}
if [custom_data1] == "%{[payload_printable]}" { mutate { remove_field => [ "custom_label1", "custom_data1" ]}}
# delete fields except those included in the whitelist below
prune {
whitelist_names => [ "@timestamp$" , "^timestamp$", "@metadata", "^src_index_pattern$", "^title$", "^sensor$", "^product$",
"^src_ip$", "^dst_ip$", "^plugin_id$", "^plugin_sid$", "^category$", "^subcategory$",
"^src_port$", "^dst_port$", "^protocol$", "^custom_label1$", "^custom_label2$", "^custom_label3$",
"^custom_data1$", "^custom_data2$", "^custom_data3$" ]
}
}
}