Wednesday, August 12, 2015

Suricata - Installation an Configuration to log to Splunk

This is a supporting blog post to assist with solving the exercise posted on This post acts as a prelude with set-up instruction to install and configure the pre-reqs.


The set-up is to run the analysis tool like Suricata, Wireshark and Fidler in a seperate instance for analysis and use a Splunk universal forwarder to send the logs to my Splunk Core instance.

Pre-installation requirements to install Suricata (IDS) on Linux
Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation. 
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config

Dowload and install Suricata

tar -xvzf "suricata-3.1.1.tar.gz"
cd "suricata-3.1.1"
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
./configure && make && make install-conf

Configure Suricata to enable JSON output.
Besides enabling JSON output, no other configuration is required.
This is covered in Eve JSON Output, we just have to enable it in the config file suricata.yaml

root@brainfold-blackbox:/opt/suricata-3.1.1# cat suricata.yaml | grep -C 2  "eve-log\:"

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

Navigate to the folder where Splunk is installed and run the follwing command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Successful run will have the following information without any error.

<Notice> - This is Suricata version 3.1.1 RELEASE
<Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 3103 packets, 2155330 bytes

Either use Splunk forwarder or "Local - Data inputs" option to transport the log into Splunk.

Splunk - inputs.conf 
brainfold-mac:local root# cat inputs.conf
disabled = false
index = suricata
sourcetype = pcap

Splunk - Props.conf
category = Custom
disabled = false
pulldown_type = true

Note that the key is to assign the sourcetype as "pcap" OR "json" which makes it easier for Splunk to parse the evets.

Verify the logs are flowing into splunk

index=suricata sourcetype=pcap

Note - Updated with latest suricata version "3.1.1".