Presented at SuriCon 2018 by Peter Czanik, Balabit
Suricata is an open source IDS / IPS / NSM engine utilizing standards-compliant input and output formats like YAML and JSON. This enables easy integration with databases, Security Information and Event Management (SIEM) solutions, and other analysis tools. syslog-ng is an open source log management application capable of collecting, processing, filtering and storing (or forwarding) log messages. Combining the two applications, you can analyze the logs of Suricata in real-time and send the results to a wide variety of destinations, including e-mail alerts and Elasticsearch. Integrating Suricata and syslog-ng is a smooth and easy process thanks to JSON: Suricata logs network events in JSON format, while syslog-ng can parse JSON-formatted log messages. Once values are turned into name-value pairs, the possibilities are endless. In my talk, I show a few use cases that I tried on my Turris Omnia Linux router, featuring both Suricata and syslog-ng. Here are a few highlights: Filter logs based on field content: route logs to the right places, for example, alerts to SIEM | Add contextual data to logs to enhance filtering or dashboards, for example, machine function based on IP address | Add geolocation information based on IP address. You can use it to display attacks on a world map or create an alert to notify you of a network connection to a suspicious country | Compare IP addresses with a known list of malware command & control IP addresses.