What’s better than Brim and Zeek? Brim, Zeek and Suricata!

Oliver Rochford
Brim Security
Published in
5 min readDec 22, 2020

We are really excited to announce that we have extended our pcap post-capture analysis engine in Brim with Suricata. In addition to Brim analyzing raw packet data with Zeek, you can now also detect malicious indicators of compromise using Suricata’s Emerging Threats OPEN ruleset.

Phil Rzewski, Brim’s community director who has been the driving force behind the integration effort, explains that “Our community of users helped validate that Suricata is the next obvious data source for Brim. Most are familiar with Suricata and would like to be using it more. So we’re hopeful that, like Brim did for Zeek, users will appreciate having it accessible from a GUI-driven desktop app, whether they run Windows, macOS or Linux.”

“The community has really impressed us with what they’ve been able to do with just Zeek data and their pcaps, often starting their hunts with a clean slate,” Phil said. “The evidence from an attack is almost always revealed in the richness of that data, but you need to start your search somewhere. Now with an ordered list of Suricata alerts to start from, there’s an opportunity to take some shortcuts.”

With the new integration, Suricata alerts can be investigated with the same intuitive search and data exploration workflows Brim delivers for Zeek. This includes the full range of processors, functions, visualizations and one-click pivots. Even better, Suricata alerts and Zeek events can be searched and analysed in aggregate and correlated. No longer are network traffic analysis and network intrusion detection segregated into distant data silos. Let Suricata drive your threat hunting, and let Brim show you how beautiful security data can look.

Suricata is available in the latest version available from the Brim Downloads page (version 0.21.1 and newer).

Brim is a full nano network intrusion detection and threat hunting platform, and best of all, it’s open source. There is no need to install half a SOC or a dozen databases on a laptop to run a breach assessment or conduct a threat hunt. All you need is network data and Brim.

Suricata Workflow

If you are just getting started with Brim, you can download it here and follow our installation instructions.

Pcap Post-Capture Analysis

Once you have installed and started Brim, you can drag and drop a pcap onto the app’s “Import Files” pane. The pcap will be analyzed through the integrated Zeek and Suricata engines to generate streams and alerts. Records become available almost immediately and you can begin exploring the first data while the remainder processes in the background.

Brim’s “Import Files” pane

Suricata Queries

To speed up incident response and threat hunting, we suggest you use the following Z queries:

Show the count of all Suricata signature alerts by severity

event_type=alert | count() by alert.severity,alert.signature | sort -r count

Sorted overview of Suricata alerts by source and destination IP addresses

event_type=alert | sort src_ip, dest_ip, alert.signature,alert.severity | cut src_ip, dest_ip, alert.severity, alert.signature, alert.category | uniq -c

Show an overview of all Suricata alerts by destination CIDR subnet

event_type=alert | alerts=union(alert.category) by network_of(dest_ip)

Suricata Alert Visualization

We have enhanced our correlation visualization in the Log Details panel to include Suricata alerts. In addition to correlating Zeek events via their “unique identifier” (uid) as Brim has always done, the visualization now also includes Suricata alerts related to the same flow by leveraging Community ID. This allows for single-click pivots between Suricata alerts and the additional context from Zeek that reveals more about why an alert fired.

Suricata alerts correlated with Zeek context

Suricata Data Schema

We store all Suricata data in ZNG, Brim’s ground-breaking data format. ZNG retains all the original information, and enhances each record with an embedded self-describing data schema and smart data types. Below is an example of an alert with the associated data scheme:

Community ID

We added Community ID support in Brim 0.19.0. Community ID is a string identifier for associating network flows with one another based on flow hashing. All Suricata alerts and Zeek events that Brim generates from imported pcaps contain a Community ID that can be used to correlate any Suricata alert with related Zeek events and vice versa.

FAQ

Which Suricata rules are included?

We have included the Emerging Threats OPEN ruleset.

Do I need to update the Suricata rules?

The included Suricata rules are updated automatically whenever Brim is started.

Can I use my own Suricata rules? Can I change the default Suricata configuration?

While it is not possible to modify the Suricata rules or change the default configuration we have included in Brim today, this will be possible in the near future similar to Brim’s integrated Zeek. We are also adding the ability to ingest Suricata EVE JSON so you can operate your own custom Suricata sensors and investigate the Suricata alerts in Brim.

Project Z

ZNG and the Z language are part of the Z stack, Brim’s ground-breaking data exploration and analytical processing platform.

As all data in Brim is stored in ZNG, you can search and analyse any and all log data using Z without needing to conduct any messy database or parsing acrobatics.

Whether you want to conduct threat hunting and network forensics via the UI, or you are building advanced analytics or labelling attributes for ML models, Z extends from the data to the presentation layer.

Originally published at https://www.brimsecurity.com.

--

--

Oliver Rochford
Brim Security

Oliver is a Security Subject Matter Expert at Brim Security