Want to create a pipeline for sending snort logs present on sensor node and displaying snort module name in alerts page

[kunalhiremath]

I trying to send snort logs which are present in /nsm directory on sensor node to manager via filebeats. I want to create a custom pipeline.

I have already created a custom pipeline by following the steps mentioned here: https://docs.securityonion.net/en/2.3/logstash.html?highlight=pipelines#adding-new-logs

And I want to display snort as a module under even.module in alerts page.

Can anyone please guide me?

[InfosecGoon]

Are you running snort instead of Suricata on your sensor nodes? I'm wondering if we could just modify the Suricata pipeline to accommodate the data rather than building a whole new Logstash / Elasticsearch configuration.

[InfosecGoon]

That's correct - you'd need to set up an Elasticsearch pipeline to ingest the Snort logs and tag them with the proper event.module.

[kunalhiremath]

OK. Thank you

[KhemaisKebaili]

I don't mean to hijack the post, but am looking to do something similar, I am trying to ingest suricata logs that are present on a different box. I ran so-allow on SO first then installed filebeat on that box and configured it to send data to SO's logstash , I also activated the suricata filebeat module on it. By doing just this I can't seem to display the alerts on the alerts page and I can't visualize anything in kibana. Can you walk me through modifying the existent suricata pipeline in SO to accommodate my need? Would highly appreciate it!

[InfosecGoon]

You'll need to set up Suricata on this external box to log in the same format that SO uses on its sensors. Here's the output configuration from a stock suricata.yaml on a Security Onion standalone node:

outputs:
- fast:
    enabled: 'no'
    filename: fast.log
    append: 'yes'
- eve-log:
    enabled: 'yes'
    filetype: regular
    filename: /nsm/eve-%Y-%m-%d-%H:%M.json
    rotate-interval: hour
    pcap-file: false
    community-id: true
    community-id-seed: 0
    xff:
      enabled: 'no'
      mode: extra-data
      deployment: reverse
      header: X-Forwarded-For
    types:
    - alert:
        payload: 'no'
        payload-buffer-size: 4kb
        payload-printable: 'yes'
        packet: 'yes'
        metadata:
          app-layer: false
          flow: false
          rule:
            metadata: true
            raw: true
        tagged-packets: 'no'
- unified2-alert:
    enabled: 'no'
- http-log:
    enabled: 'no'
    filename: http.log
    append: 'yes'
- tls-log:
    enabled: 'no'
    filename: tls.log
    append: 'yes'
- tls-store:
    enabled: 'no'
- pcap-log:
    enabled: 'no'
    filename: log.pcap
    limit: 1000mb
    max-files: 2000
    compression: none
    mode: normal
    use-stream-depth: 'no'
    honor-pass-rules: 'no'
- alert-debug:
    enabled: 'no'
    filename: alert-debug.log
    append: 'yes'
- alert-prelude:
    enabled: 'no'
    profile: suricata
    log-packet-content: 'no'
    log-packet-header: 'yes'
- stats:
    enabled: 'yes'
    filename: stats.log
    append: 'yes'
    totals: 'yes'
    threads: 'no'
    null-values: 'yes'
- syslog:
    enabled: 'no'
    facility: local5
- drop:
    enabled: 'no'
- file-store:
    version: 2
    enabled: 'no'
    xff:
      enabled: 'no'
      mode: extra-data
      deployment: reverse
      header: X-Forwarded-For
- tcp-data:
    enabled: 'no'
    type: file
    filename: tcp-data.log
- http-body-data:
    enabled: 'no'
    type: file
    filename: http-data.log
- lua:
    enabled: 'no'
    scripts: None

[KhemaisKebaili]

Thank you for your reply!
If I may ask , I did modify the suricata.yaml on the box accordingly. When it comes to filebeat.yml file on the box shipping the suricata alerts, what do I have to setup in order to be able to work with the existent pipeline within Security Onion rather than building my own from scratch?