Suricata

Current PR for review: https://github.com/OISF/suricata/pull/10703

Some initial thoughts.

If Suricata is going to block, or alert based on the geoip keyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.

What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.

Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.

Jason Ish wrote in #note-3:

Some initial thoughts.

If Suricata is going to block, or alert based on the geoip keyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.

What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.

Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.

Yes you are correct, the last publicly available database is from 2018, however, MaxMind provides a more recent and updated database trough different scheme.
To enrich data, data needs to be deserialize and converted to other format is costly from my perspective. I adds geoip supports is due to Suricata supports geoip using the same library used by Logstash or Filebeat.

Hey all, I'd like to claim this ticket. I am adapting the original author's code with the last bit of feedback they received, updating the code for v8, plus adding enrichment to flows output.

@Jerry Hardee do you have anything to share?

I just rebased my work -- I will open a PR soon after testing it one more time

I opened a PR here: https://github.com/OISF/suricata/pull/14558

v2 PR: https://github.com/OISF/suricata/pull/14567