Suricata Alert/Drop by top rule names

[tonygauderman]

Have you ever thought about adding Suricata Alert/Drop information to the dashboard based on rule names??

[bsmithio]

I think I could implement this. Something like a top dropped category/top dropped signature, top alerted category/top alerted signature? Or do you mean ruleset names, e.g 'emerging-dos.rules'?

[tonygauderman]

You laid out what I was thinking exactly. That would be pretty sweet. I really need to get to work learning Grafana more as it could be useful for so many things, and almost decided to do this myself to learn more about Grafan. BUT, if I want to load updates for your dashboard, I’d have to re-add them every time.

Here is what I have configured in Graylog currently to extract the suricata JSON data, if any of it is useful. Had to enable EVE logging for suricata, as there wasn't much information in just the syslog that's easy to parse any way.

Extractor Config:

First Extractor - strip off everything but the JSON data
Regex: .suricata.]: ({"timestamp":.*) ->Store as field suricata_json

Second Extractor - load the JSON data
Extractor Type: JSON
Source Field: suricata_json

Now, in the extracted data, the following fields contain the information you'd need

alert_action -> (allowed or blocked)
alert_signature -> Signature name
alert_category -> Alert Category

Following may also be useful, but these could be dropped or alerted in either direction, so not as simple as showing blocks inbound on the WAN interface.

src_ip
dest_ip

I then did some things with GROK patterns against the JSON to pull out DNS and TLS information but that may not be useful for the dashboard. That was where the complexity was, the initial extractors are pretty simple with regex stripping off everything but JSON, and then parsing the JSON.

[bsmithio]

You laid out what I was thinking exactly. That would be pretty sweet. I really need to get to work learning Grafana more as it could be useful for so many things, and almost decided to do this myself to learn more about Grafan. BUT, if I want to load updates for your dashboard, I’d have to re-add them every time.

Here is what I have configured in Graylog currently to extract the suricata JSON data, if any of it is useful. Had to enable EVE logging for suricata, as there wasn't much information in just the syslog that's easy to parse any way.

Extractor Config:

First Extractor - strip off everything but the JSON data Regex: .suricata.]: ({"timestamp":.*) ->Store as field suricata_json

Second Extractor - load the JSON data Extractor Type: JSON Source Field: suricata_json

Now, in the extracted data, the following fields contain the information you'd need

alert_action -> (allowed or blocked) alert_signature -> Signature name alert_category -> Alert Category

Following may also be useful, but these could be dropped or alerted in either direction, so not as simple as showing blocks inbound on the WAN interface.

src_ip dest_ip

I then did some things with GROK patterns against the JSON to pull out DNS and TLS information but that may not be useful for the dashboard. That was where the complexity was, the initial extractors are pretty simple with regex stripping off everything but JSON, and then parsing the JSON.

Thanks for this! This may be of use to me since I'm going to experiment with using Elasticsearch as the data source for the Suricata dashboard. Mostly because I'm getting some performance issues with InfluxDB as the data source. Most likely from all the counting that needs to be done for the Top 10 queries. These issues may be because I have so many active rules.

[tonygauderman]

I see you already had an update before I posted the information and had a totally different way of doing it than I was thinking. In the process of setting that up now!!