Project

General

Profile

Support #1153

Suricata changes the output from version 4

Added by Andrew Goldy 5 days ago. Updated 5 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
-
Start date:
11/07/2019
Due date:
% Done:

0%

Resolution:

Description

Hello Guys!

Suricata might has changed? the default prelude-alert output, because comparing to the old release 3.x the alert text was the alert name for example "ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)", and now the alert text is swapped to description for example "Potential Corporate Privacy Violation".
Moreover comparing to snort its confirmed something was wrong with the alerting output at least in case of prelude in suricata.

Below the real world examples with the same alert from snort and suricata aspects. Both outputs are natively forwarded to prelude.
I've contacted suricata for months but still no answer... Is there any workaround to swap the two columns regarding suricata?

Suricata:

Snort:

Many thanks! :)

tempsnip.png View (6.99 KB) Andrew Goldy, 11/07/2019 06:25 PM

ftzfztfztd.PNG View (4.43 KB) Andrew Goldy, 11/07/2019 06:31 PM

jzff.PNG View (4.29 KB) Andrew Goldy, 11/07/2019 06:31 PM

History

#1 Updated by Camille GARDET 5 days ago

  • Status changed from New to Assigned
  • Assignee set to Andrew Goldy

Hello Andrew,

Thank you for reporting this.
In this case, it is the alert from Snort where the classification.text and the description are swapped. In the IDMEF format (and philosophy), the field classification.text should be as generic as possible, to ease the correlation.

We changed this behavior in suricata through this PR https://github.com/OISF/suricata/pull/3253 on GitHub.
If you are able to contribute to the Snort project by submitting a patch, it would be great. If not, we will look into it :)

Also available in: Atom PDF