Suricata rulsets updates and Kibana


  • Running ELK 6.8.8 on premises

I've defined a number of visualizations in Kibana, which use the signature IDs from Suricata.
Initially I made a series of manual filters by ID and the visualizations look good, showing the information I need.

The problem is that these signature IDs are updated very often in Suricata, so in as little time as hours or a couple of days, the filters I made become obsolete or do not contain the latest rule IDs available in Suricata.

Not incorporating these new IDs into my visualizations is a big problem for me, so I'm looking for a way that I can automate updating these filters from Suricata to Kibana.

Is there a way to achieve this automation process?

  • As a note I comment that, in my opinion, it would be best if the information I need was already included in the index "logstash-alert- *" in the form of an additional field. This way, I would not have to do any filter in Kibana and would only show this new field, since the alerts would be categorized as they were being indexed.. But unfortunately, I don't know how to achieve this either.


(it already exists)
alert.category: Attempted Denial of Service
alert.signature: ET SCAN Possible SSL Brute Force attack or Site Crawl
alert.signature_id: 2001553
(to add)
alert.type (or Brute Force attack

Either having to use my filters with automation or using the index enhancement (if become available) I should be able to move forward, so any help is welcome.

Thank you

I don't know much about Suricata or the signature ID's but it seems to me like this would better be implemented in Suricata before it gets ingested in Kibana?

Failing that there is the saved objects API with which you programatically update a vizualization to for instance add new filters

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.