Merge pull request johnnykv#13 from threatstream/suricata-support

initial support for suricata events

mnemosyne.cfg.dist

@@ -11,7 +11,7 @@ ident =
 secret =
 host = hpfriends.honeycloud.net
 port = 20000
-channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events
+channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events
 
 [file_log]
 enabled = True

normalizer/modules/suricata_events.py

@@ -0,0 +1,52 @@
+# Copyright (C) 2013 Johnny Vestergaard <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+import json
+
+from normalizer.modules.basenormalizer import BaseNormalizer
+
+class Suricata(BaseNormalizer):
+    channels = ('suricata.events',)
+
+    def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
+        o_data = json.loads(data)
+
+        if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
+            return []
+
+        session = {
+            'honeypot': 'suricata',
+            'timestamp': submission_timestamp,
+            'source_ip': o_data['source_ip'],
+            'destination_ip': o_data['destination_ip'],
+            'protocol': o_data['proto'],
+            'suricata': {
+                'action':         o_data['action'],
+                'signature':      o_data['signature'],
+                'signature_id':   o_data['signature_id'],
+                'signature_rev':  o_data['signature_rev'],
+            },
+            'sensor': o_data['sensor'] # UUID
+        }
+
+        # ICMP will have no ports
+        if 'destination_port' in o_data:
+            session['destination_port'] = o_data['destination_port']
+        if 'source_port' in o_data:
+            session['source_port'] = o_data['source_port']
+
+        return [{'session': session},]

normalizer/normalizer.py

@@ -33,6 +33,7 @@
 from modules import wordpot_events
 from modules import shockpot_events
 from modules import p0f_events
+from modules import suricata_events
 from bson import ObjectId
 
 import gevent

scripts/ensure_permissions.js

@@ -0,0 +1,8 @@
+var channels = ["amun.events", "dionaea.connections", "dionaea.capture", "glastopf.events", "beeswarm.hive", "kippo.sessions", "conpot.events", "snort.alert", "wordpot.events", "shockpot.events", "p0f.events", "suricata.events"];
+
+for(c in channels) { 
+    var channel = channels[c]; 
+    db.auth_key.update({'identifier': 'mnemosyne', subscribe:{$nin:[channel]}}, {$push: {subscribe: channel}})
+    db.auth_key.update({'identifier': 'geoloc', subscribe:{$nin:[channel]}}, {$push: {subscribe: channel}})
+}
+