Suricata Logs
Connecting Suricata logs to your Panther Console
Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
To connect these logs into Panther:
- 1.Set up your Data Transport in the Panther Console.
- Please follow Panther’s documentation for configuring the Data Transport option you will use:
- 2.Configure Suricata to push logs to the Data Transport source.
- See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.
Required fields in all tables are in bold.
Suricata parser for the Alert event type in the EVE JSON output.
parser:
native:
name: Suricata.Alert
fields:
- name: files
description: files
type: array
element:
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: tx_id
description: tx_id
type: bigint
- name: http
description: http
type: object
fields:
- name: http_content_type
description: http_content_type
type: string
- name: hostname
description: hostname
type: string
- name: http_method
description: http_method
type: string
- name: http_user_agent
description: http_user_agent
type: string
- name: length
description: length
type: bigint
- name: protocol
description: protocol
type: string
- name: status
description: status
type: bigint
- name: url
description: url
type: string
- name: ssh
description: ssh
type: object
fields:
- name: server
description: server
type: object
fields:
- name: proto_version
required: true
description: proto_version
type: float
- name: software_version
required: true
description: software_version
type: string
- name: app_proto_tc
description: app_proto_tc
type: string
- name: tls
description: tls
type: object
fields:
- name: sni
description: sni
type: string
indicators:
- ip
- name: ja3
required: true
description: ja3
type: object
fields:
- name: hash
required: true
description: hash
type: string
- name: string
required: true
description: string
type: string
- name: version
required: true
description: version
type: string
- name: app_proto
description: app_proto
type: string
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: alert
required: true
description: alert
type: object
fields:
- name: metadata
description: metadata
type: object
fields:
- name: former_category
description: former_category
type: array
element:
type: string
- name: affected_product
description: affected_product
type: array
element:
type: string
- name: attack_target
description: attack_target
type: array
element:
type: string
- name: deployment
description: deployment
type: array
element:
type: string
- name: signature_severity
description: signature_severity
type: array
element:
type: string
- name: tag
description: tag
type: array
element:
type: string
- name: created_at
required: true
description: created_at
type: array
element:
type: float
- name: updated_at
required: true
description: updated_at
type: array
element:
type: float
- name: action
required: true
description: action
type: string
- name: category
required: true
description: category
type: string
- name: gid
required: true
description: gid
type: bigint
- name: rev
required: true
description: rev
type: bigint
- name: severity
required: true
description: severity
type: bigint
- name: signature
required: true
description: signature
type: string
- name: signature_id
required: true
description: signature_id
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: start
required: true
description: start
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the Anomaly event type in the EVE JSON output.
Column | Type | Description |
anomaly | { "code":bigint, "event":string, "layer":string, "type":string } | Suricata Anomaly Anomaly |
app_proto | string | Suricata Anomaly AppProto |
community_id | string | Suricata Anomaly CommunityID |
dest_ip | string | Suricata Anomaly DestIP |
dest_port | int | Suricata Anomaly DestPort |
event_type | string | Suricata Anomaly EventType |
flow_id | bigint | Suricata Anomaly FlowID |
icmp_code | bigint | Suricata Anomaly IcmpCode |
icmp_type | bigint | Suricata Anomaly IcmpType |
metadata | { "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } } | Suricata Anomaly Metadata |
packet | string | Suricata Anomaly Packet |
packet_info | { "linktype":bigint } | Suricata Anomaly PacketInfo |
pcap_cnt | bigint | Suricata Anomaly PcapCnt |
pcap_filename | string | Suricata Anomaly PcapFilename |
proto | bigint | Suricata Anomaly Proto |
src_ip | string | Suricata Anomaly SrcIP |
src_port | int | Suricata Anomaly SrcPort |
timestamp | timestamp | Suricata Anomaly Timestamp |
tx_id | bigint | Suricata Anomaly TxID |
vlan | [bigint] | Suricata Anomaly Vlan |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Suricata parser for the DHCP event type in the EVE JSON output.
parser:
native:
name: Suricata.DHCP
description: Suricata parser for the DHCP event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html
fields:
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: dhcp
required: true
description: dhcp
type: object
fields:
- name: assigned_ip
required: true
description: assigned_ip
type: string
indicators:
- ip
- name: client_mac
required: true
description: client_mac
type: string
- name: dhcp_type
required: true
description: dhcp_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: id
required: true
description: id
type: string
indicators:
- trace_id
- name: type
required: true
description: type
type: string
- name: event_type
required: true
description: event_type
type: string
- name: flow_id
required: true
description: flow_id
type: bigint
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the DNS event type in the EVE JSON output.
Column | Type | Description |
community_id | string | Suricata DNS CommunityID |
dns | { "aa":boolean, "answers":[{ "rdata":string, "rrname":string, "rrtype":string, "ttl":bigint }], "authorities":[{ "rrname":string, "rrtype":string, "ttl":bigint }], "flags":string, "grouped":{ "A":[string], "AAAA":[string], "CNAME":[string], "MX":[string], "PTR":[string], "TXT":[string] }, "id":bigint, "qr":boolean, "ra":boolean, "rcode":string, "rd":boolean, "rrname":string, "rdata":string, "rrtype":string, "ttl":bigint, "tx_id":bigint, "type":string, "version":bigint } | Suricata DNS DNS |
dest_ip | string | Suricata DNS DestIP |
dest_port | int | Suricata DNS DestPort |
event_type | string | Suricata DNS EventType |
flow_id | bigint | Suricata DNS FlowID |
pcap_cnt | bigint | Suricata DNS PcapCnt |
pcap_filename | string | Suricata DNS PcapFilename |
proto | bigint | Suricata DNS Proto |
src_ip | string | Suricata DNS SrcIP |
src_port | int | Suricata DNS SrcPort |
timestamp | timestamp | Suricata DNS Timestamp |
vlan | [bigint] | Suricata DNS Vlan |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Suricata parser for the FileInfo event type in the EVE JSON output.
schema: Suricata.FileInfo
parser:
native:
name: Suricata.FileInfo
description: Suricata parser for the FileInfo event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo
fields:
- name: app_proto
required: true
description: app_proto
type: string
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: dest_port
required: true
description: dest_port
type: bigint
- name: event_type
required: true
description: event_type
type: string
- name: fileinfo
required: true
description: fileinfo
type: object
fields:
- name: filename
required: true
description: filename
type: string
- name: gaps
required: true
description: gaps
type: boolean
- name: size
required: true
description: size
type: bigint
- name: state
required: true
description: state
type: string
- name: stored
required: true
description: stored
type: boolean
- name: tx_id
required: true
description: tx_id
type: bigint
- name: flow_id
required: true
description: flow_id
type: bigint
- name: http
required: true
description: http
type: object
fields:
- name: http_user_agent
description: http_user_agent
type: string
- name: http_content_type
description: http_content_type
type: string
- name: hostname
required: true
description: hostname
type: string
- name: http_method
required: true
description: http_method
type: string
- name: length
required: true
description: length
type: bigint
- name: protocol
required: true
description: protocol
type: string
- name: status
required: true
description: status
type: bigint
- name: url
required: true
description: url
type: string
- name: in_iface
required: true
description: in_iface
type: string
- name: proto
required: true
description: proto
type: string
- name: src_ip
required: true
description: src_ip
type: string
indicators:
- ip
- name: src_port
required: true
description: src_port
type: bigint
- name: timestamp
required: true
description: Suricata DNS Timestamp
type: timestamp
timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z
isEventTime: true
Suricata parser for the Flow event type in the EVE JSON output.
schema: Suricata.Flow
parser:
native:
name: Suricata.Flow
description: Suricata parser for the Flow event type in the EVE JSON output.
referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow
fields:
- name: app_proto_tc
description: app_proto_tc
type: string
- name: icmp_code
description: icmp_code
type: bigint
- name: icmp_type
description: icmp_type
type: bigint
- name: metadata
description: metadata
type: object
fields:
- name: flowbits
description: flowbits
type: array
element:
type: string
- name: flowints
description: flowints
type: object
fields:
- name: applayer.anomaly.count
description: applayer.anomaly.count
type: bigint
- name: app_proto
description: app_proto
type: string
- name: tcp
description: tcp
type: object
fields:
- name: psh
description: psh
type: boolean
- name: cwr
description: cwr
type: boolean
- name: ecn
description: ecn
type: boolean
- name: fin
description: fin
type: boolean
- name: rst
description: rst
type: boolean
- name: ack
description: ack
type: boolean
- name: state
description: state
type: string
- name: syn
description: syn
type: boolean
- name: tcp_flags
required: true
description: tcp_flags
type: string
- name: tcp_flags_tc
required: true
description: tcp_flags_tc
type: string
- name: tcp_flags_ts
required: true
description: tcp_flags_ts
type: string
- name: dest_port
description: dest_port
type: bigint
- name: src_port
description: src_port
type: bigint
- name: dest_ip
required: true
description: dest_ip
type: string
indicators:
- ip
- name: event_type
required: true
description: event_type
type: string
- name: flow
required: true
description: flow
type: object
fields:
- name: age
required: true
description: age
type: bigint
- name: alerted
required: true
description: alerted
type: boolean
- name: bytes_toclient
required: true
description: bytes_toclient
type: bigint
- name: bytes_toserver
required: true
description: bytes_toserver
type: bigint
- name: end
required: true
description: end
type: string
- name: pkts_toclient
required: true
description: pkts_toclient
type: bigint
- name: pkts_toserver
required: true
description: pkts_toserver
type: bigint
- name: reason
required: true
description: reason
type: string
- name: start
required: true
description: start
type: string
- name: state
required: true
description: state
type: string
- name: flow_id