Value of NSM data
From https://suricata-ids.org –
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation. Suricata is developed by the OISF and its supporting vendors.
Snort was an early IDS that matched signatures against packets seen on a network. Suricata is the next generation of open source tools that looks to expand on the capabilities of snort. While it continues to monitor packets, and can ‘alert’ on matches (think bad IP address, or a sequence of bytes inside of a packet), it expands the capabilities by adding Network Security Monitoring. NSM watches a network (or PCAP file), jams packet payloads together (in order), and does further analysis. From the payloads, Suricata can extract HTTP, FTP, DNS, SMTP, SSL certificate info etc.
This data can provide invaluable insight into what’s going on in your company or in your home. Store the data for future searches, monitor the data actively for immediate notification of some wrong doings or anything else you want to do. NSM data allows an analyst to track the spreading of malware. Track how a malicious email came through.
Beyond the meta-data, Suricata can also extract the files from monitored sessions. These files can be analyzed, replayed or shoved into a sandbox and detonated. Build your own!
Here’s a break down of fields available, but remember they’re not always there. Be careful in your coding.
All records contain general layer 3/4 network information:
This covered TCP/IP, UDP, etc. Each event that gets logged (check out /var/log/eve.json) , has this information and more. “event_type” indicates the ‘rest’ of the important data in this NSM record. Values in ‘event_type’ will be one of:
Client/Server are child objects when this is parsed from JSON.
File info is special. It can be associated with other types, like HTTP and SMTP/email. Watch the object carefully, you’ll get a mix of fields