Dear Community,
I need some help on sending Suricata IDS alerts to PacketFence 13.2.
Right now, I have installed Suricata 7.0.7 (from source) on an Ubuntu 24.04
server; I'm using this configuration to write fast logs on
"/usr/local/var/log/suricata/fast.log" (suricata.yaml output):
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
I made a test with the Suricata test rule (alert ip any any -> any any
(msg:"GPL ATTACK_RESPONSE id check returned root";
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;
metadata:created_at 2010_09_23, updated_at 2019_07_26;)) and Suricata is
working correctly (I have alert entries on fast.log):
tail /usr/local/var/log/suricata/fast.log
11/27/2024-16:09:44.676455 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check
returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 18.66.218.82:80 -> 192.168.4.7:52244
11/27/2024-16:09:45.843326 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check
returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 18.66.218.24:80 -> 192.168.4.7:59216
11/27/2024-16:09:46.436033 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check
returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{TCP} 18.66.218.82:80 -> 192.168.4.7:52246
Now, to send this fast.log entries to PacketFence, I installed Syslog-ng on
Ubuntu 24 where Suricata is installed and put this conf file on
/etc/syslog-ng/conf.d/suricata.conf:
@version: 4.3
source s_suricata {
file("/usr/local/bin/var/log/suricata/fast.log"
program-override("suricata")
flags(no-parse));
};
destination d_suricata{
tcp("192.168.4.2" port(514));
};
log {
source(s_suricata);
destination(d_suricata);
};
where 192.168.4.2 is PacketFence management IP address.
While, on PacketFence side (Debian 12), I configured the preinstalled
rsyslog service, by adding the following on /etc/rsyslog.d/suricata.conf:
# Define a rule to process Suricata logs
if $programname contains "suricata" then {
action(type="ompipe" pipe="/usr/local/pf/var/suricata")
}
# Discard logs after processing (optional)
& stop
I thing that with the suricata.conf above, the entries are moved into the
pipe "/usr/local/pf/var/suricata" which I previously created, but it isn't
working.
I sniffed traffic on PF mgmt interface and I can see packets coming on port
514 (which I allowed on IPtables):
#tcpdump -n -i ens18 -vv port 514
tcpdump: listening on ens18, link-type EN10MB (Ethernet), snapshot length
262144 bytes
17:20:52.618184 IP (tos 0x0, ttl 64, id 31643, offset 0, flags [DF], proto
TCP (6), length 52)
192.168.4.7.41793 > 192.168.4.2.514: Flags [.], cksum 0x8980 (incorrect
-> 0xa0d8), seq 44872519, ack 578307382, win 502, options [nop,nop,TS val
2992805794 ecr 2326835961], length 0
17:20:52.618202 IP (tos 0x0, ttl 64, id 40814, offset 0, flags [DF], proto
TCP (6), length 52)
192.168.4.2.514 > 192.168.4.7.41793: Flags [.], cksum 0x8980 (incorrect
-> 0x3930), seq 1, ack 1, win 510, options [nop,nop,TS val 2326897400 ecr
2988380037], length 0
How can redirect these alerts to the pipe "/usr/local/pf/var/suricata" ?
Is this setup configured correctly or can I achieve the same result with a
better way?
Can someone point me in the right direction?
I would like to achieve this in order to create Security Events based on
Suricata alerts received.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
