Respected Contributor.. shotoz Respected Contributor..
Respected Contributor..
834 views

Security Onion

Jump to solution

Does anyone integrated (or tried to) some components of Security Onion with ArcSight ?

If so, did you integrated snort-db and bro ? Are you using suricata ?

Labels (3)
0 Likes
1 Solution

Accepted Solutions
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Security Onion

Jump to solution

Suricata logs use JSON streaming (i.e. multiple JSON objects one after the other in a single file). Support for JSON streaming was added in connector release 7.1.7 a few weeks back, specifically to support Suricata.

~ Ofer

View solution in original post

0 Likes
7 Replies
Highlighted
ronaldo Absent Member.
Absent Member.

Re: Security Onion

Jump to solution

You can read the snorby db with the standard arcsigh snort db connector

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Security Onion

Jump to solution

I was successfully able to read in snort logs via syslog file connector.  I had to change some permissions issues with the directory, so you may want to look into that as well.  The path that I read it from was "/var/ossec/logs/alerts/alerts.log"; the Bro smartconnector worked like a charm.  I'll let you know if I run into any suricata issues.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Security Onion

Jump to solution

Suricata logs use JSON streaming (i.e. multiple JSON objects one after the other in a single file). Support for JSON streaming was added in connector release 7.1.7 a few weeks back, specifically to support Suricata.

~ Ofer

View solution in original post

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Security Onion

Jump to solution

Thank you very much!  Are you referring to the FlexConnector JSON Folder Follower?

-Peter 

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Security Onion

Jump to solution

Yup.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Security Onion

Jump to solution

Awesome, thank you Ofer!

0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Security Onion

Jump to solution

Hi Ofer?

Here is an example of the suricata json log for a dns queiry. Is it possible to read those log file from FlexConnector JSON? and is it map the fields properly without any flex connector?

user@ubuntu:~$ tail –f /var/log/suricata/eve.json

{"timestamp":"2016-06-

24T09:15:29.041194+1200","flow_id":4234292162,"in_iface":"enp2s2f0","event_type":"dns","src_ip":"192.168.1.12","src_port":40439,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34059,"rrname":"www.stuff.co.nz","rrtype":"A","tx_id":0}}

{"timestamp":"2016-06-24T09:15:29.041194+1200","flow_id":4234292162,"in_iface":"enp2s2f0","event_type":"dns","src_ip":"192.168.1.12","src_port":40439,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":34059,"rcode":"NOERROR","rrname":"www.stuff.co.nz","rrtype":"CNAME","ttl":2141,"rdata":"kona6.fairfaxmedia.com.au.edgekey.net"}}

{"timestamp":"2016-06-24T09:15:29.041194+1200","flow_id":4234292162,"in_iface":"enp2s2f0","event_type":"dns","src_ip":"192.168.1.12","src_port":40439,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":34059,"rcode":"NOERROR","rrname":"kona6.fairfaxmedia.com.au.edgekey.net","rrtype":"CNAME","ttl":235,"rdata":"e1365.dsce2.akamaiedge.net"}}

{"timestamp":"2016-06-24T09:15:29.041194+1200","flow_id":4234292162,"in_iface":"enp2s2f0","event_type":"dns","src_ip":"192.168.1.12","src_port":40439,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":34059,"rcode":"NOERROR","rrname":"e1365.dsce2.akamaiedge.net","rrtype":"A","ttl":9,"rdata":"104.84.18.58"}}

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.