Project

General

Profile

Actions

Feature #1229

closed

Suricata alerts in CEF Format

Added by Giacomo Milani over 9 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Many different security vendors of network security devices, log collector and correlation engines are now supporting an interoperability logging standard called CEF ( Common Event Format ).

Align the logging output will improve the interoperability and aims to ease correlate events generated from different devices.

Despite it’s possibile to convert suricata unified2 events with barnyard2 to CEF i’m interested to develop native CEF support, to remove dependency of a third party software and to reduce i/o pressure and latency introduced by format conversion.

CEF is a text format and it can be logged raw to file or transported by syslog without breaking its standard.

An example of CEF event is the following one:

CEF:0|OISF|Suricata|2.0.1|1:9221001:1|Generic Protocol Command Decode|3|rt=14038633490004 act=alert proto=TCP src=141.76.x.x spt=80 dst=172.16.226.150 dpt=60134 msg=SURICATA test service=http method=GET request=/debian/pool/main/i/irssi/irssi_0.8.15-5_amd64.deb host=ftp.de.debian.org agent=Debian APT-HTTP/1.3 (0.9.7.9) status=200 contentLen=1152622 contentType=application/x-debian-package server=Apache/2.2.22 (Debian)

The event contains common information already present in fast.log, device vendor and device name (OSIF/Suricata) and if it’s possibile it will display also some key/values extracted by the application layer (identified by service= label).

Documentation of CEF format can be found at the following link: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf

Actions

Also available in: Atom PDF