Sagan with Suricata

[Alee]

Hello!

I am trying to correlate Suricata's output logs events with Sagan and I don't know if Sagan supports json files as inputs. Thanks!

Alee

[Champ Clark III]

> I am trying to correlate Suricata's output logs events with Sagan and I don't know if Sagan supports json files as inputs. Thanks!

Sounds like fun! :)  It's interesting you mention this.   I'm currently working on semi-compatible Suricata EVE type's of outputs.  Right now,  Sagan will write out in a Suricata "Alert" JSON/EVE output.   It's still experiential but does work with programs like EveBox for correlation.   For example,  see https://twitter.com/dabeave666/status/837370455422087168

You can enable Alert EVE type output in your "sagan.yaml",  find the "eve-log" section.

Let me know how it works out!

[Alee]

Thanks for answering! I already found that I could take Suricata's unified2 output and correlate this with Sagan as an input. Am I right?

[Champ Clark III]

Yes.   You'll need to use something like Barnyard2 or u2spew, but yes...  you'll be able to get the data in one area (MySQL) and do correlation between Suricata/Snort/Sagan.

---

From: "Alee" <amfh...@gmail.com>
To: "sagan-users" <sagan...@googlegroups.com>
Sent: Monday, March 20, 2017 2:06:39 PM
Subject: Re: [sagan-users] Sagan with Suricata

--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Hussein Abdallah]

Hello, I am new to Sagan and I installed it with Snort and Barnyard2 to get all the data in one area (MySQL database). I can see now both Sagan and Snort events stored in that database using Snorby. However, I was wondering if Sagan can use this database to automatically correlate events or if I need some external SIEM to do that. For instance, if Sagan detects an error in my Bind DNS server log and a few moments later Snort also detects a strange DNS query sent on the network to the IP address of the same DNS server, can Sagan correlate these two events to send an alert or I need something like AlienVault OSSIM or Prelude to do that ? (I am asking because I have actually configured such correlations in OSSIM with Suricata and OSSEC and I wonder if I can achieve the same result with Sagan).

[Steve Rawls]

This is actually fairly straightforward. In addition to unified2, Snort can output in a text format that includes the rule name, as well as source and destination IPs and ports. If you have Sagan ingest those logs, you can use them to set flowbits that can be used by Sagan. Since there are a huge number of Snort rules, I would recommend setting Sagan flowbits based on a Snort rule category. For example, Snort DNS related rules can be used to set a Sagan flowbit specifically to watch DNS events, which can then be added to DNS related Sagan rules to provide correlation. The reverse also works. Sagan rules can set a flowbit that can be used by other Sagan rules designed to trigger on ingested Snort logs.

I hope this helps!

Steve

[Hussein Abdallah]

Yes, thank you very much!