Suricata alerts in CEF Format
Many different security vendors of network security devices, log collector and correlation engines are now supporting an interoperability logging standard called CEF ( Common Event Format ).
Align the logging output will improve the interoperability and aims to ease correlate events generated from different devices.
Despite it’s possibile to convert suricata unified2 events with barnyard2 to CEF i’m interested to develop native CEF support, to remove dependency of a third party software and to reduce i/o pressure and latency introduced by format conversion.
CEF is a text format and it can be logged raw to file or transported by syslog without breaking its standard.
An example of CEF event is the following one:
CEF:0|OISF|Suricata|2.0.1|1:9221001:1|Generic Protocol Command Decode|3|rt=14038633490004 act=alert proto=TCP src=141.76.x.x spt=80 dst=172.16.226.150 dpt=60134 msg=SURICATA test service=http method=GET request=/debian/pool/main/i/irssi/irssi_0.8.15-5_amd64.deb host=ftp.de.debian.org agent=Debian APT-HTTP/1.3 (0.9.7.9) status=200 contentLen=1152622 contentType=application/x-debian-package server=Apache/2.2.22 (Debian)
The event contains common information already present in fast.log, device vendor and device name (OSIF/Suricata) and if it’s possibile it will display also some key/values extracted by the application layer (identified by service= label).
Documentation of CEF format can be found at the following link: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf
Updated by Kile Morgan over 4 years ago
CEF is used a lot with ArcSight, however ArcSight also has a JSON file and folder follower flex connector. I just asked the Arc Sight guy and even if you did output in CEF you might still need to write PCRE to map values into Arc Sight(that was our biggest problem and why we went JSON). Just my two cents.....