Network Security Monitoring with Suricata and Telegraf

5 minutes

At the end of 2019, we released a new Suricata input plugin with Telegraf 1.13.0. In this blog, I’ll talk about the the powerful combination of these two open source products — the importance of Suricata and why you should use Telegraf to monitor its performance.

I wanted to start off first thanking Sascha Steinbiss for submitting this plugin. Here at InfluxData, we can’t tell you how much we value our open source community. Telegraf would not be what it is without folks like Sascha!

Why implement network security monitoring?

Network Security Monitoring (NSM) is increasingly important as cybercrime continues to grow to hundreds of billions a year. NSM solutions detect attacks in your network that could lead to a vast variety of losses from bandwidth consumption, data, traffic and resources theft, to inserting spam and ransoming your data. The list grows as cyber security tries to catch up with the fast-paced cybercrime industry. Network security monitoring is critical to detect and prevent attacks as they happen but also to provide means for forensics analysis. NSM provides visibility into traffic context (file names, websites, apps, protocols etc.) that allows for a more comprehensive analysis of suspicious activities in real-time and for forensics purposes, both on-prem and cloud deployments. But all this data needs to be sent to a high-performing time series database that can process a large volume of raw data, enrich it with other metadata for root-cause analysis and present it as a sequence of events that leads to actionable information.

What is Suricata?

Suricata is an open source security engine and is capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap (packet capture) processing. Suricata is developed by the Open Information Security Foundation (OISF), a non-profit foundation organized to build a next generation IDS/IPS engine.

Why should I use Suricata?

Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Suricata offers an extensive list of features. One of the main features and major advantages of Suricata is multi-threading, which allows a single instance to perform at much higher traffic volumes.  With enterprise networks now handling more traffic than ever (which is why our customers love InfluxDB!), the multi-threaded nature of Suricata allows its users to scale horizontally. So if you have equipment with multiple CPUs, Suricata can be configured to distribute the workload across all the available hardware.

How can I use Telegraf to monitor my Suricata performance?

The Telegraf Suricata Input Plugin allows you to report internal performance metrics of your Suricata engine. Suricata metrics collected from Telegraf include:

  • Captured traffic volume
  • Memory usage
  • Uptime
  • Flow Counters

With the Suricata plugin, you can gain real-time insight into the performance of your security engine and make sure that it is operating optimally.

How do I properly configure my Suricata Input Plugin?

Suricata Configuration for Unix Socket

Suricata needs to deliver the “stats” event type to a given Unix socket for this plugin to pick up. This can be done, for example, by creating an additional output in the Suricata configuration file:

- eve-log:
    enabled: yes
    filetype: unix_stream
    filename: /tmp/suricata-stats.sock
    types:
      - stats:
         threads: yes

Suricata Input Telegraf Configuration

Like most Telegraf plugins, the Suricata Input Plugin does not require much configuration. The two fields that need to be provided are: 1) the file pathname for the unix socket 2) the delimiter for flattening field keys (default set to _).

[[input.suricata]]
  ## Data sink for Suricata stats log.
  # This is expected to be a filename of a
  # unix socket to be created for listening.
  source = "/var/run/suricata-stats.sock"

  # Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
  # becomes "detect_alert" when delimiter is "_".
  delimiter = "_"

 

Example Suricata Output (select “view raw” to view entire raw text in full screen)

What metrics are collected from Telegraf Suricata plugin?

Tags:

TagDescriptionExample
threadThread IDs for thread-specific statistics or Global for global statisticsW#03-enp0s31f6

Fields:

Fields are the various internal performance counters of the Suricata IDS/IPS engine. These fields in the suricata measurement follow the JSON format used by Suricata’s stats output. View a list of example Suricata fields here.  All Suricata fields are numeric.

Telegraf’s Suricata plugin enables you to leverage the InfluxDB platform to collect, visualize and alert on network security data from Suricata, both flow and packet-based, as well as correlate this traffic data with full stack metrics and events for fast impact assessment, diagnosis and action plan.

Get started!

If you or your company are using Suricata for security and want to monitor its performance, try out everything you read in this Telegraf plugin! We’d love to hear how you’re monitoring Suricata using this plugin or any other InfluxData products. Join our Community Slack Channel where you can ask questions and engage with other people using InfluxDB!

Related Blog Posts

1 thought on “Network Security Monitoring with Suricata and Telegraf”

  1. Avatar

    How come in the suricata config the socket is /tmp/suricata-stats.sock, and in telegraf config the socket location is /var/run/suricata-stats.sock?

    I’m using telegraf 1.14 from OPNsense 20 (Keen Kinfisher). I followed the instructions above, but telegraf keeps saying :

    2020-04-25T01:42:07Z E! [telegraf] Error running agent: listen unix /tmp/suricata-stats.sock: bind: address already in use

    I could read from the socket by using cat. Why couldn’t telegraf read from it? Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top