Comment on Internal network monitoring
irmadlad@lemmy.world 4 days agobut suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.
It is possible to offload the correlation to a downstream SIEM or log aggregator like Wazuh or ELK. Again, it’s something I’m currently trying to spool up on. I know it can be done, I’m just trying different things until I do get it right. I appreciate any input.
non_burglar@lemmy.world 4 days ago
Oh, yeah, absolutely. Suricata was created not long after snort, in the days when an ids did the gathering and the correlation.
You’re totally right, the way most people and orgs do it today is to ship ids logs to a siem for the correlation, overall easier to manage. ELK is the go-to for most, not sure about wazuh, I’ve only seen it in the homelab space, but it might work.
There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup. I deploy it a lot because it saves time with the non-security setup with dB’s and such. Pretty easy to point syslog to it and you can see alerts right away and start tuning.
I’m envious of your position, I learned a lot setting this stuff up.
irmadlad@lemmy.world 4 days ago
I did not know about SELKS. I will definitely check it out. Thank you for the tip.