Corelight Suricata

  • Updated on Jan 27, 2025
  • Published on May 15, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Suricata alerts

✅

suricata_corelight_alerts

NDJSON

S3

Overview

imageThis article explains how to ingest your Corelight Suricata alerts to Hunters. Corelight Suricata alerts are a different data type than regular open source Suricata alerts (described here), since they're passed through the Zeek processing engine and are outputted in Zeek format, as explained here.

Supported data types

Suricata alerts

Table name: suricata_corelight_alerts

Suricata alerts are generated when network traffic matches a pattern or behavior defined in Suricata's extensive rule set, indicating potential security threats such as attempts to exploit vulnerabilities, malware communication, or other malicious activities. These alerts are crucial for early detection of security incidents, enabling rapid response to mitigate potential threats.

Send data to Hunters

Hunters supports the ingestion of Corelight Suricata logs via an intermediary AWS S3 bucket.

To connect Corelight Suricata logs:

  1. Export your logs from Corelight Suricata to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

The expected log format is ND-JSON, which is configurable as part of the Corelight Suricata solution. Below is an example of a currently supported log line:

{
    "_path": "sample_datalogs",
    "_system_name": "sep-uhja-030-pem012",
    "_write_ts": "2023-02-10T01:10:10.012345Z",
    "alert.action": "blocked",
    "alert.category": "Malware Attack",
    "alert.gid": 1,
    "alert.metadata": [
        "created_at:2010_09_30",
        "former_category:CHASING",
        "updated_at:2020_02_10"
    ],
    "alert.rev": 8,
    "alert.severity": 9,
    "alert.signature": "Suspicious inbound Scan MSSQL port 2567",
    "alert.signature_id": 4910836,
    "community_id": "2:qMuJPsMnsrtt5mS/A4ic+uPsaw=",
  "flow_id": 987201982837101,
    "id.orig_h": "1.2.3.4",
    "id.orig_p": 98765,
    "id.resp_h": "1.2.3.4",
    "id.resp_p": 2034,
    "id.vlan": 654,
    "pcap_cnt": 2,
    "suri_id": "M6N910tPLuR9",
    "ts": "2023-02-10T01:10:10.019987Z",
    "tx_id": 2,
    "uid": "ShPleteNmCVPILMKp"
}