# TA-suricata

**Repository Path**: ossim/TA-suricata

## Basic Information

- **Project Name**: TA-suricata
- **Description**: 可与 Splunk Enterprise Security 一起使用，并为以下 Suricata eve-log 输出提供字段提取、别名、标签的工具，能够分析Suricata报警事件。
- **Primary Language**: Shell
- **License**: Apache-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 1
- **Created**: 2021-12-01
- **Last Updated**: 2022-03-10

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# TA-suricata for Splunk

This CIM compliant TA can be used with Splunk Enterprise Security and
provides field extractions, aliases, tags for the following Suricata eve-log
outputs:

* alert
* tls

This fills the SSL Activity panel under Protocol Intelligence, and Intrusion Center under Security Domains -> Network in
Splunk Enterprise Security:

![Splunk ES SSL Activity](splunk_es_ssl_activity.png)

![Splunk ES Network Intrusion Center](splunk_es_network_intrusion_center.png)

## Installation

Install this TA on your Splunk (Enterprise Security) search head. Make
sure to rename it TA-suricata otherwise ES won't eat it.

## Configuration 

Have the log files indexed by a Splunk Universal Forwarder with sourcetypes
`suricata_eve`. For example with the following inputs.conf:

```
[monitor:///var/log/suricata/eve.json]
disabled = false
sourcetype = suricata_eve
index=suricata
```

## CIM 

The TA provides fields compatible with the Splunk Common Information Model (CIM):

* action
* category
* ids_type = network
* severity
* src
* src_ip
* dest
* dest_ip
* signature
* signature_id
* ssl_hash
* ssl_version
* ssl_serial
* ssl_subject_common_name
* ssl_subject_email
* ssl_subject_locality
* ssl_subject_organization
* ssl_issuer_common_name
* ssl_issuer_email
* ssl_issuer_locality
* ssl_issuer_organization
* transport
* vendor_product = Suricata