Integrate Suricata with IBM QRadar 7

Tags: #<Tag:0x00007febe7c0d250> #<Tag:0x00007febe7c0d188> #<Tag:0x00007febe7c0d098>

An Open Source IDS and SIEM - what could possible go wrong

There are multiple reasons why integrating an Open Source Network IDS/IPS like Suricata is worth the effort. Let’s not go into detail about this here and focus on the setup.

There is a DSM

Kind of… The first thing you need to do is editing the suricata.yaml

 - syslog:
      enabled: yes
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      identity: "snort"
      facility: local4
      level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug

This sets the programname to snort for your syslog daemon. Let’s say this is Rsyslog.

The next thing you configure is Syslog forwarding with a template:

$template sysklogd, "<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
if $programname =='snort' then @;sysklogd
# & ~

This way the QRadar receiver at UDP:514 receives the messages. Now you tell QRadar that the IP of the IDS sensor is a Snort Open Source:

Just make sure the Log Source Identifier is the sensor IP. And you are done.

Extend the Snort DSM with an LSX for Suricata EVE support in QRadar

This is just a starting point to treat the JSON input from Suricata, which can be sent via Syslog. The individual JSON keys get mapped to QRadars appropriate keys.

<?xml version="1.0" encoding="UTF-8"?>
This is just a start. You need to tune the whole system to tie it together.
<device-extension xmlns="event_parsing/device_extension">
	<pattern id="EventName" xmlns=""><![CDATA["signature\_id\"\:(\d{1,9})\,\"]]></pattern>
	<pattern id="EventCategory" xmlns=""><![CDATA["category\"\:\"(\D*)\"\,]]></pattern>
	<pattern id="SourceIp" xmlns=""><![CDATA["src\_ip\"\:\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})]]></pattern>
	<pattern id="SourcePort" xmlns=""><![CDATA["src\_port\"\:(\d*)\,\"]]></pattern>
	<pattern id="DestinationIp" xmlns=""><![CDATA["dest\_ip\"\:\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})]]></pattern>
	<pattern id="DestinationPort" xmlns=""><![CDATA["dest\_port\"\:(\d*)\,\"]]></pattern>
	<pattern id="Protocol" xmlns=""><![CDATA[,\"proto\"\:"(\w{1,6})\"]]></pattern>
	<pattern id="DevicetimeParser" xmlns=""><![CDATA["timestamp"\:\"(\d{4}\-\d{2}\-\d{2}\T\d{2}\:\d{2}\:\d{2})\.]]></pattern>
	<match-group order="1" description="Snort Open Source IDS" device-type-id-override="10" xmlns="">
		<matcher field="EventName" order="1" pattern-id="EventName" capture-group="1" />
		<matcher field="EventCategory" order="1" pattern-id="EventCategory" capture-group="1"/>
		<matcher field="SourceIp" order="1" pattern-id="SourceIp" capture-group="1" />
		<matcher field="SourcePort" order="1" pattern-id="SourcePort" capture-group="1" />
		<matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" />
		<matcher field="DestinationIp" order="1" pattern-id="DestinationIp" capture-group="1" />
		<matcher field="DeviceTime" order="1" ext-data="yyyy/MM/ddTHH:mm:ss" pattern-id="DevicetimeParser" capture-group="1" />
		<matcher field="DestinationPort" order="1" pattern-id="DestinationPort" capture-group="1" />
		<event-match-multiple pattern-id="EventName" capture-group-index="1" device-event-category="Snort Open Source IDS" />

This should at least be a start.