1

I'm trying to write a (very simple) custom format for a Suricata alert for ingest into a Python application I have written.

In the documentation I've found, it indicates that some fields, like "- http-log:", support a 'customvalue' option. I'm trying to determine if the "-fast" section, which generates the alerts I'm interested in, supports custom formats as well.

If anyone has ever written a custom alert format for Suricata's fast.log I would be interested to learn how you did it. Thanks in advance for your time and help.

jkovba
  • 1,229
  • 2
  • 11
  • 20

2 Answers2

1

Unfortunately, Suricata does not support custom alert formats for its "-fast" line-based alerts at the time of writing. The documentation for Suricata configuration only has a few options (specifying filename and append options) for this type of alert logging. The latest Suricata source (downloadable here) shows that the output for the -fast logging option is a hard-coded format in the alert-fastlog.c file shown below.

alert-fastlog.c

Given that the Suricata fast alert format was designed to be the same format as the Snort alert_fast logging option, it may be helpful to leverage an existing Python solution for parsing Snort alerts, and apply a similar approach in this situation.

Community
  • 1
  • 1
Kevin
  • 16,549
  • 8
  • 60
  • 74
1

You can also use lua scripts to generate your own output formats. There is an example in the source that implements a fast-log like output here: https://github.com/inliniac/suricata/blob/master/lua/fast.lua

Documentation of the Lua options in Suricata can be found here: http://suricata.readthedocs.io/en/latest/output/lua-output.html

Victor Julien
  • 116
  • 2