Feature #6999
open
output/json: enrich EVE w/ libmaxminddb geoip info
Added by Juliana Fajardini Reichow 6 months ago.
Updated 2 months ago.
Description
Work proposed and executed by Fandi Gunawan
PR: https://github.com/OISF/suricata/pull/10703
From PR description:
Adding optional geoip enrichment into Eve-log by setting geoip-enrichment option under eve-log configuration in suricata.yaml.
The JSON structure of geoip is based on Elastic ECS geo specification.
This is to avoid the cost of additional resources in RAM, CPU, and storage for achieving a similar result with logstash.
- Assignee changed from Community Ticket to Fandi Gunawan
Some initial thoughts.
If Suricata is going to block, or alert based on the geoip keyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.
What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.
Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.
Jason Ish wrote in #note-3:
Some initial thoughts.
If Suricata is going to block, or alert based on the geoip keyword I think it is important to log that context along with the alert. GeoIP databases differ or get out of date so you don't want Suricata making a decision on one GeoIP database, and enriching that log with another.
What I'm not so sure about is if all events should be enriched. This is typically where I'd recommend post-processing. Moving it to Suricata because Logstash is slow isn't a very strong reason, as Logstash is generally slow and there could be other ways... Filebeat with Elastic ingest streams is probably much faster. And I'm hesitant to add yet another toggle to the config.
Thoughts? I think the ECS schema layout is good here, but should probably take a quick look at the OCSF schema for similar data as well.
Yes you are correct, the last publicly available database is from 2018, however, MaxMind provides a more recent and updated database trough different scheme.
To enrich data, data needs to be deserialize and converted to other format is costly from my perspective. I adds geoip supports is due to Suricata supports geoip using the same library used by Logstash or Filebeat.
- Status changed from In Review to New
- Assignee changed from Fandi Gunawan to Community Ticket
Hello there, I'm unclaiming this ticket as stale, for now. Thanks for your work so far!
If you have more time in the future and would like to come back to contribute to our projects, you'll be most welcome.
WIP PR with changes requested: https://github.com/OISF/suricata/pull/10703
Also available in: Atom
PDF