July 2014

Thanks to the EVE JSON events and alerts format that appear in Suricata 2.0, it is now easy to import Suricata generated data into a running Splunk.

To ease the first steps of integration, Stamus Networks is providing a Splunk application: Suricata by Stamus Networks

It can be installed like any other applications and it just requires that a Suricata EVE JSON file is known and parsed by Splunk.

Current version is providing a dashboard and a few searches:

Screenshot from 2014-07-30 15:39:11

This post describes how to import the application and if you don’t have already done it how to import data from a Suricata EVE file.

Importing the application

Importing the application is done via the Apps menu on top of Splunk starting page:

Screenshot from 2014-07-30 15:33:39

Suricata by Stamus Networks application is currently provided as a file, so you need to download it: Suricata by Stamus Networks. Once done, you can add the application:

Screenshot from 2014-07-30 15:33:50

You need to select the file

Screenshot from 2014-07-30 15:34:05

Importing a Suricata EVE JSON file

Since splunk 6.1.x, the recognition of the file format is automatic. If you are using an older version of Splunk, you may need to refer to this page to import Suricata EVE file.

Here’s the detailed procedure to import Suricata EVE data into Splunk. From the starting page, we click on Add Data:

Screenshot from 2014-07-30 15:27:48

Then we click an Files & Directories to tell Splunk to import data from Suricata EVE JSON file:

Screenshot from 2014-07-30 15:28:08

Once done, we click on the New button:

Screenshot from 2014-07-30 15:28:21

Now, we only need to give the complete path to the eve.json file:

Screenshot from 2014-07-30 15:28:47

Once this is done, we just need to click on all Continue buttons to be done.

Using the application

Now, we can go to the application by clicking on Suricata by Stamus Networks:

Screenshot from 2014-07-30 15:34:42

Next step can be to to go the dashboard:

Screenshot from 2014-07-30 15:35:02

The dashboard contains some interesting panels like the following one who displays the destination IP addresses that are using a self-signed certificate for TLS connections:
Screenshot from 2014-07-30 14:37:52

Conclusion

This application should evolve with time, so stay tuned and follow us on twitter for more information.