Feature #6999
openoutput/json: enrich EVE w/ libmaxminddb geoip info
Description
Work proposed and executed by Fandi Gunawan
PR: https://github.com/OISF/suricata/pull/10703
From PR description:
Adding optional geoip enrichment into Eve-log by setting geoip-enrichment option under eve-log configuration in suricata.yaml.
The JSON structure of geoip is based on Elastic ECS geo specification.
This is to avoid the cost of additional resources in RAM, CPU, and storage for achieving a similar result with logstash.
Updated by Juliana Fajardini Reichow 6 months ago
- Assignee changed from Community Ticket to Fandi Gunawan
Updated by Jason Ish 6 months ago
Current PR for review: https://github.com/OISF/suricata/pull/10703
Updated by Jason Ish 6 months ago
Some initial thoughts.
If Suricata is going to block, or alert based on the geoip keyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.
What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.
Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.
Updated by Fandi Gunawan 6 months ago
Jason Ish wrote in #note-3:
Some initial thoughts.
If Suricata is going to block, or alert based on the
geoipkeyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.
Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.
Yes you are correct, the last publicly available database is from 2018, however, MaxMind provides a more recent and updated database trough different scheme.
To enrich data, data needs to be deserialize and converted to other format is costly from my perspective. I adds geoip supports is due to Suricata supports geoip using the same library used by Logstash or Filebeat.
Updated by Juliana Fajardini Reichow about 2 months ago
- Status changed from In Review to New
- Assignee changed from Fandi Gunawan to Community Ticket
Hello there, I'm unclaiming this ticket as stale, for now. Thanks for your work so far!
If you have more time in the future and would like to come back to contribute to our projects, you'll be most welcome.
WIP PR with changes requested: https://github.com/OISF/suricata/pull/10703