Suricata changes the output from version 4
Suricata might has changed? the default prelude-alert output, because comparing to the old release 3.x the alert text was the alert name for example "ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)", and now the alert text is swapped to description for example "Potential Corporate Privacy Violation".
Moreover comparing to snort its confirmed something was wrong with the alerting output at least in case of prelude in suricata.
Below the real world examples with the same alert from snort and suricata aspects. Both outputs are natively forwarded to prelude.
I've contacted suricata for months but still no answer... Is there any workaround to swap the two columns regarding suricata?
#1 Updated by Camille GARDET about 1 year ago
- Status changed from New to Assigned
- Assignee set to Andrew Goldy
Thank you for reporting this.
In this case, it is the alert from Snort where the classification.text and the description are swapped. In the IDMEF format (and philosophy), the field classification.text should be as generic as possible, to ease the correlation.
We changed this behavior in suricata through this PR https://github.com/OISF/suricata/pull/3253 on GitHub.
If you are able to contribute to the Snort project by submitting a patch, it would be great. If not, we will look into it