Presented at SuriCon 2018 by Christian Kriebich, Corelight
Network security practitioners frequently correlate alerts produced by Suricata with flow-level logs available from other network monitors, for example in order to understand the context of an alert to gauge the outcome of an attack. Currently the best way to conduct this correlation is by manually identifying the flow tuple involved (usually including the source/dest IP address and port as well as the transport layer protocol) around the timestamps in question. In order to simplify this process, the Bro and Suricata developers have been working jointly to simplify this process via a “Community ID” value that both monitors compute and log identically and that allows immediate correlation on a single hash value. In this talk we will motivate the Community ID, report on its current implementation status, and demonstrate it to the community.