# Suricata 로그 ## 개요 Panther는 일반적인을 통해 Suricata 로그를 수집하는 것을 지원합니다 [데이터 전송](https://docs.panther.com/ko/data-onboarding/data-transports) 옵션: Amazon Web Services (AWS) S3, SQS 및 CloudWatch. ## Suricata 로그를 Panther에 온보딩하는 방법 이 로그를 Panther에 연결하려면: 1. Panther 콘솔의 왼쪽 탐색 창에서 **구성** > **로그 소스**. 2. 를 선택하고 Panther가 설치된 계정 ID를 입력하십시오. **새로 만들기**. 3. 온보딩하려는 로그 유형을 검색한 다음 해당 타일을 클릭하세요. 4. 이 통합에 사용할 데이터 전송 방법을 선택한 다음 해당 방법을 구성하기 위한 Panther의 지침을 따르세요: * [AWS CloudWatch](https://docs.panther.com/data-onboarding/data-transports/cwl-source) * [AWS SQS](https://docs.panther.com/data-onboarding/data-transports/sqs) * [AWS S3 버킷](https://docs.panther.com/data-onboarding/data-transports/s3) 5. Suricata를 구성하여 로그를 Data Transport 소스로 푸시합니다. * 선택한 Data Transport 소스로 로그를 푸시하는 방법은 Suricata 문서를 참조하세요. ## 지원되는 로그 유형 ### Suricata.Alert EVE JSON 출력의 Alert 이벤트 유형에 대한 Suricata 파서입니다. 자세한 내용은 Suricata 문서의 를 참조하세요 참고: [Suricata.Alert](https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-output.html#alerts) ```yaml 파서: 네이티브: name: Suricata.Alert 필드: - name: files description: files type: array element: type: object 필드: - 이름: filename required: true description: filename type: string - name: gaps required: true description: gaps 유형: boolean - name: size required: true description: size type: bigint - name: state required: true description: state type: string - name: stored required: true description: stored 유형: boolean - name: tx_id required: true description: tx_id type: bigint - name: tx_id description: tx_id type: bigint - name: http description: http type: object 필드: - name: http_content_type description: http_content_type type: string - 이름: hostname description: hostname type: string - name: http_method description: http_method type: string - name: http_user_agent description: http_user_agent type: string - name: length description: length type: bigint - 이름: protocol description: protocol type: string - 이름: status 설명: status type: bigint - name: url description: url type: string - name: ssh description: ssh type: object 필드: - name: server description: server type: object 필드: - name: proto_version required: true description: proto_version type: float - name: software_version required: true description: software_version type: string - name: app_proto_tc description: app_proto_tc type: string - name: tls description: tls type: object 필드: - name: sni description: sni type: string 지표: - ip - name: ja3 required: true description: ja3 type: object 필드: - name: hash required: true description: hash type: string - name: string required: true description: string type: string - name: version required: true description: version type: string - name: app_proto description: app_proto type: string - 이름: metadata description: metadata type: object 필드: - name: flowbits description: flowbits type: array element: type: string - name: flowints description: flowints type: object 필드: - name: applayer.anomaly.count description: applayer.anomaly.count type: bigint - name: alert required: true description: alert type: object 필드: - 이름: metadata description: metadata type: object 필드: - name: former_category description: former_category type: array element: type: string - name: affected_product description: affected_product type: array element: type: string - name: attack_target description: attack_target type: array element: type: string - name: deployment description: deployment type: array element: type: string - name: signature_severity description: signature_severity type: array element: type: string - 이름: tag description: tag type: array element: type: string - 이름: created_at required: true description: created_at type: array element: type: float - name: updated_at required: true description: updated_at type: array element: type: float - 이름: action required: true description: action type: string - name: category required: true description: category type: string - name: gid required: true description: gid type: bigint - name: rev required: true description: rev type: bigint - 이름: severity required: true 설명: 심각도 type: bigint - name: signature required: true description: signature type: string - name: signature_id required: true description: signature_id type: bigint - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - 이름: event_type required: true description: event_type type: string - name: flow required: true description: flow type: object 필드: - name: bytes_toclient required: true description: bytes_toclient type: bigint - name: bytes_toserver required: true description: bytes_toserver type: bigint - name: pkts_toclient required: true description: pkts_toclient type: bigint - name: pkts_toserver required: true description: pkts_toserver type: bigint - name: start required: true description: start type: string - name: flow_id required: true description: flow_id type: bigint - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true ``` ### Suricata.Anomaly EVE JSON 출력의 Anomaly 이벤트 유형에 대한 Suricata 파서입니다. 참고: [EVE JSON 출력의 이상(Anomalies)에 대한 Suricata 문서.](https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#anomaly) | Column | Type | 설명 | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- | | **`anomaly`** | `{ "code":bigint, "event":string, "layer":string, "type":string }` | Suricata Anomaly Anomaly | | `app_proto` | `string` | Suricata Anomaly AppProto | | `community_id` | `string` | Suricata Anomaly CommunityID | | `dest_ip` | `string` | Suricata Anomaly DestIP | | `dest_port` | `int` | Suricata Anomaly DestPort | | **`event_type`** | `string` | Suricata Anomaly EventType | | `flow_id` | `bigint` | Suricata Anomaly FlowID | | `icmp_code` | `bigint` | Suricata Anomaly IcmpCode | | `icmp_type` | `bigint` | Suricata Anomaly IcmpType | | `metadata` | `{ "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } }` | Suricata Anomaly Metadata | | `packet` | `string` | Suricata Anomaly Packet | | `packet_info` | `{ "linktype":bigint }` | Suricata Anomaly PacketInfo | | `pcap_cnt` | `bigint` | Suricata Anomaly PcapCnt | | `pcap_filename` | `string` | Suricata Anomaly PcapFilename | | `proto` | `bigint` | Suricata Anomaly Proto | | `src_ip` | `string` | Suricata Anomaly SrcIP | | `src_port` | `int` | Suricata Anomaly SrcPort | | **`timestamp`** | `timestamp` | Suricata Anomaly Timestamp | | `tx_id` | `bigint` | Suricata Anomaly TxID | | `vlan` | `[bigint]` | Suricata Anomaly Vlan | | **`p_log_type`** | `string` | Panther가 로그 유형으로 추가한 필드 | | **`p_row_id`** | `string` | Panther가 고유 ID(테이블 내)로 추가한 필드 | | **`p_event_time`** | `timestamp` | Panther가 표준화된 이벤트 시간(UTC)으로 추가한 필드 | | **`p_parse_time`** | `timestamp` | Panther가 표준화된 로그 파싱 시간(UTC)으로 추가한 필드 | | `p_source_id` | `string` | Panther가 소스 ID로 추가한 필드 | | `p_source_label` | `string` | Panther가 소스 라벨로 추가한 필드 | | `p_any_ip_addresses` | `[string]` | 행과 연관된 IP 주소 모음을 Panther가 추가한 필드 | | `p_any_domain_names` | `[string]` | 행과 연관된 도메인 이름 모음을 Panther가 추가한 필드 | | `p_any_sha1_hashes` | `[string]` | 행과 연관된 SHA1 해시 모음을 Panther가 추가한 필드 | | `p_any_md5_hashes` | `[string]` | 행과 연관된 MD5 해시 모음을 Panther가 추가한 필드 | | `p_any_sha256_hashes` | `[string]` | 행과 연관된 모든 알고리즘의 SHA256 해시 모음을 Panther가 추가한 필드 | ### Suricata.DHCP EVE JSON 출력의 DHCP 이벤트 유형에 대한 Suricata 파서입니다. 참고: [Suricata.DHCP](https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html) ```yaml 파서: 네이티브: name: Suricata.DHCP description: EVE JSON 출력의 DHCP 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html 필드: - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - name: dhcp required: true description: dhcp type: object 필드: - name: assigned_ip required: true description: assigned_ip type: string 지표: - ip - name: client_mac required: true description: client_mac type: string - name: dhcp_type required: true description: dhcp_type type: string - 이름: hostname required: true description: hostname type: string - 이름: id required: true description: id type: string 지표: - trace_id - 이름: type required: true 설명: 유형 type: string - 이름: event_type required: true description: event_type type: string - name: flow_id required: true description: flow_id type: bigint - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true ``` ### Suricata.DNS EVE JSON 출력의 DNS 이벤트 유형에 대한 Suricata 파서입니다. 참고: [EVE JSON 출력 DNS에 대한 Suricata 문서.](https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#dns) ```yaml schema: Suricata.DNS description: EVE JSON 출력의 DNS 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#dns 필드: - name: community_id description: Suricata DNS CommunityID type: string - name: dns required: true description: Suricata DNS DNS type: object 필드: - name: aa description: Suricata DNSDetails Aa 유형: boolean - name: answers description: Suricata DNSDetails Answers type: array element: type: object 필드: - 이름: rdata required: true description: Suricata DNSDetailsAnswers Rdata type: string 지표: - hostname - name: rrname required: true description: Suricata DNSDetailsAnswers Rrname type: string 지표: - 도메인 - name: rrtype required: true description: Suricata DNSDetailsAnswers Rrtype type: string - 이름: ttl required: true description: Suricata DNSDetailsAnswers TTL type: bigint - name: authorities description: Suricata DNSDetails Authorities type: array element: type: object 필드: - name: rrname required: true description: Suricata DNSDetailsAuthorities Rrname type: string - name: rrtype required: true description: Suricata DNSDetailsAuthorities Rrtype type: string - name: soa required: true type: object 필드: - name: expire required: true type: bigint - name: minimum required: true type: bigint - name: mname required: true type: string - name: refresh required: true type: bigint - name: retry required: true type: bigint - name: rname required: true type: string - name: serial required: true type: bigint - 이름: ttl required: true description: Suricata DNSDetailsAuthorities TTL type: bigint - name: flags description: Suricata DNSDetails Flags type: string - name: grouped description: Suricata DNSDetails Grouped type: object 필드: - name: A description: Suricata DNSDetailsGrouped A type: array element: type: string 지표: - ip - name: AAAA description: Suricata DNSDetailsGrouped Aaaa type: array element: type: string 지표: - ip - name: CNAME description: Suricata DNSDetailsGrouped Cname type: array element: type: string 지표: - 도메인 - name: MX description: Suricata DNSDetailsGrouped Mx type: array element: type: string 지표: - 도메인 - name: PTR description: Suricata DNSDetailsGrouped Ptr type: array element: type: string - name: TXT description: Suricata DNSDetailsGrouped Txt type: array element: type: string - 이름: id required: true description: Suricata DNSDetails ID type: bigint - name: qr description: Suricata DNSDetails Qr 유형: boolean - name: ra description: Suricata DNSDetails Ra 유형: boolean - name: rcode description: Suricata DNSDetails Rcode type: string - name: rd description: Suricata DNSDetails Rd 유형: boolean - name: rrname description: Suricata DNSDetails Rrname type: string 지표: - 도메인 - 이름: rdata description: Suricata DNSDetails RData type: string 지표: - ip - name: rrtype description: Suricata DNSDetails Rrtype type: string - 이름: ttl description: Suricata DNSDetails TTL type: bigint - name: tx_id description: Suricata DNSDetails TxID type: bigint - 이름: type description: Suricata DNSDetails Type type: string - name: version description: Suricata DNSDetails Version type: bigint - 이름: dest_ip required: true description: Suricata DNS DestIP type: string 지표: - ip - 이름: dest_port description: Suricata DNS DestPort 유형: int - 이름: event_type required: true description: Suricata DNS EventType type: string - name: flow_id required: true description: Suricata DNS FlowID type: bigint 지표: - trace_id - name: pcap_cnt description: Suricata DNS PcapCnt type: bigint - name: pcap_filename description: Suricata DNS PcapFilename type: string - name: proto required: true description: Suricata DNS Proto type: string - name: in_iface type: string - 이름: src_ip required: true description: Suricata DNS SrcIP type: string 지표: - ip - 이름: src_port description: Suricata DNS SrcPort 유형: int - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormats: - '%Y-%m-%dT%H:%M:%S.%f%z' isEventTime: true - name: vlan description: Suricata DNS Vlan type: array element: type: bigint ``` ### Suricata.FileInfo EVE JSON 출력의 FileInfo 이벤트 유형에 대한 Suricata 파서입니다. 참고: [파일 및 EVE 파일 정보 저장](https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo). ```yaml schema: Suricata.FileInfo 파서: 네이티브: name: Suricata.FileInfo description: EVE JSON 출력의 FileInfo 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/file-extraction/file-extraction.html#file-store-and-eve-fileinfo 필드: - name: app_proto required: true description: app_proto type: string - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - 이름: event_type required: true description: event_type type: string - name: fileinfo required: true description: fileinfo type: object 필드: - 이름: filename required: true description: filename type: string - name: gaps required: true description: gaps 유형: boolean - name: size required: true description: size type: bigint - name: state required: true description: state type: string - name: stored required: true description: stored 유형: boolean - name: tx_id required: true description: tx_id type: bigint - name: flow_id required: true description: flow_id type: bigint - name: http required: true description: http type: object 필드: - name: http_user_agent description: http_user_agent type: string - name: http_content_type description: http_content_type type: string - 이름: hostname required: true description: hostname type: string - name: http_method required: true description: http_method type: string - name: length required: true description: length type: bigint - 이름: protocol required: true description: protocol type: string - 이름: status required: true 설명: status type: bigint - name: url required: true description: url type: string - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true ``` ### Suricata.Flow EVE JSON 출력의 Flow 이벤트 유형에 대한 Suricata 파서입니다. 참고: [Flow 이벤트 유형](https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow). ```yaml schema: Suricata.Flow 파서: 네이티브: name: Suricata.Flow description: EVE JSON 출력의 Flow 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-flow 필드: - name: app_proto_tc description: app_proto_tc type: string - name: icmp_code description: icmp_code type: bigint - name: icmp_type description: icmp_type type: bigint - 이름: metadata description: metadata type: object 필드: - name: flowbits description: flowbits type: array element: type: string - name: flowints description: flowints type: object 필드: - name: applayer.anomaly.count description: applayer.anomaly.count type: bigint - name: app_proto description: app_proto type: string - name: tcp description: tcp type: object 필드: - name: psh description: psh 유형: boolean - name: cwr description: cwr 유형: boolean - name: ecn description: ecn 유형: boolean - name: fin description: fin 유형: boolean - name: rst description: rst 유형: boolean - name: ack description: ack 유형: boolean - name: state description: state type: string - name: syn description: syn 유형: boolean - name: tcp_flags required: true description: tcp_flags type: string - name: tcp_flags_tc required: true description: tcp_flags_tc type: string - name: tcp_flags_ts required: true description: tcp_flags_ts type: string - 이름: dest_port description: dest_port type: bigint - 이름: src_port description: src_port type: bigint - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: event_type required: true description: event_type type: string - name: flow required: true description: flow type: object 필드: - name: age required: true description: age type: bigint - name: alerted required: true description: alerted 유형: boolean - name: bytes_toclient required: true description: bytes_toclient type: bigint - name: bytes_toserver required: true description: bytes_toserver type: bigint - name: end required: true description: end type: string - name: pkts_toclient required: true description: pkts_toclient type: bigint - name: pkts_toserver required: true description: pkts_toserver type: bigint - 이름: reason required: true description: reason type: string - name: start required: true description: start type: string - name: state required: true description: state type: string - name: flow_id required: true description: flow_id type: bigint - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true ``` ### Suricata.HTTP EVE JSON 출력의 HTTP 이벤트 유형에 대한 Suricata 파서입니다. 참고: [HTTP 이벤트 유형](https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-output.html#http). ```yaml schema: Suricata.HTTP 파서: 네이티브: name: Suricata.HTTP description: EVE JSON 출력의 HTTP 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-output.html#http 필드: - 이름: metadata description: metadata type: object 필드: - name: flowbits description: flowbits type: array element: type: string - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - 이름: event_type required: true description: event_type type: string - name: flow_id required: true description: flow_id type: bigint - name: http required: true description: http type: object 필드: - name: http_user_agent description: http_user_agent type: string - name: http_content_type description: http_content_type type: string - 이름: hostname description: hostname type: string - name: http_method description: http_method type: string - name: length description: length type: bigint - 이름: protocol description: protocol type: string - 이름: status 설명: status type: bigint - name: url description: url type: string - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true - name: tx_id required: true description: tx_id type: bigint ``` ### Suricata.SSH EVE JSON 출력의 SSH 이벤트 유형에 대한 Suricata 파서입니다. 참고: [SSH 이벤트 유형](https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-ssh). ```yaml schema: Suricata.SSH 파서: 네이티브: name: Suricata.SSH description: EVE JSON 출력의 SSH 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-ssh 필드: - 이름: metadata description: metadata type: object 필드: - name: flowbits description: flowbits type: array element: type: string - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - 이름: event_type required: true description: event_type type: string - name: flow_id required: true description: flow_id type: bigint - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - name: ssh required: true description: ssh type: object 필드: - name: client description: client type: object 필드: - name: proto_version required: true description: proto_version type: float - name: software_version required: true description: software_version type: string - name: server description: server type: object 필드: - name: proto_version required: true description: proto_version type: float - name: software_version required: true description: software_version type: string - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true - name: tx_id required: true description: tx_id type: bigint ``` ### Suricata.TLS EVE JSON 출력의 TLS 이벤트 유형에 대한 Suricata 파서입니다. 참고: [TLS 이벤트 유형](https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-tls). ```yaml schema: Suricata.TLS 파서: 네이티브: name: Suricata.TLS description: EVE JSON 출력의 TLS 이벤트 유형에 대한 Suricata 파서입니다. referenceURL: https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-format.html#event-type-tls 필드: - 이름: metadata description: metadata type: object 필드: - name: flowints description: flowints type: object 필드: - name: applayer.anomaly.count description: applayer.anomaly.count type: bigint - name: flowbits description: flowbits type: array element: type: string - 이름: dest_ip required: true description: dest_ip type: string 지표: - ip - 이름: dest_port required: true description: dest_port type: bigint - 이름: event_type required: true description: event_type type: string - name: flow_id required: true description: flow_id type: bigint - name: in_iface required: true description: in_iface type: string - name: proto required: true description: proto type: string - 이름: src_ip required: true description: src_ip type: string 지표: - ip - 이름: src_port required: true description: src_port type: bigint - 이름: timestamp required: true description: Suricata DNS Timestamp type: timestamp timeFormat: strftime=%Y-%m-%dT%H:%M:%S.%f%z isEventTime: true - name: tls required: true description: tls type: object 필드: - name: fingerprint description: fingerprint type: string - name: issuerdn description: issuerdn type: string - name: notafter description: notafter type: string - name: notbefore description: notbefore type: string - name: serial description: serial type: string - name: subject description: subject type: string - name: ja3 required: true description: ja3 type: object 필드: - name: hash description: hash type: string - name: string description: string type: string - name: ja3s required: true description: ja3s type: object 필드: - name: hash description: hash type: string - name: string description: string type: string - name: sni description: sni type: string - name: version required: true description: version type: string ```