Skip to content

Rapid7 Security Onion

Rapid7 Security Onion

About

Security Onion is a intrusion detection and network monitoring tool.

Product Details

Vendor URL: Rapid7 Security Onion

Product Type: IDS

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: RAPID7_SECURITY_ONION

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
community_id additional.fields["community_id"]
flow_id additional.fields["flowid"]
Rapid7 metadata.vendor_name
Security Onion metadata.product_name
event_type metadata.product_event_type
proto network.ip_protocol
app_proto network.application_protocol_version
src_ip principal.ip
src_port principal.port
alert.action security_result.action_details
alert.rule security_result.rule_name
alert.signature security_result.rule_version
alert.signature_id security_result.rule_id
alert.severity security_result.severity_detail
alert.category security_result.category_details
dest_ip target.ip
dest_port target.port

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT

Log Sample

{
    "timestamp": "2023-06-21T17:03:08.873496+0000",
    "flow_id": 259874411021523,
    "in_iface": "bond0",
    "event_type": "alert",
    "src_ip": "10.0.0.1",
    "src_port": 1099,
    "dest_ip": "10.0.0.2",
    "dest_port": 39460,
    "proto": "TCP",
    "metadata": {
        "flowbits": [
            "ET.RMIRequest"
        ]
    },
    "community_id": "2:+p9knfqOqBvpn26oHEVaGpWzdbY=",
    "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 2034748,
        "rev": 1,
        "signature": "ET POLICY Serialized Java Payload via RMI Response",
        "category": "Potentially Bad Traffic",
        "severity": 2,
        "metadata": {
            "attack_target": [
                "Client_and_Server"
            ],
            "created_at": [
                "2021_12_17"
            ],
            "deployment": [
                "Perimeter"
            ],
            "former_category": [
                "POLICY"
            ],
            "signature_severity": [
                "Informational"
            ],
            "updated_at": [
                "2021_12_17"
            ]
        },
        "rule": "Rulename"
    },
    "app_proto": "failed",
    "stream": 0,
    "packet": "packetdata===",
    "packet_info": {
        "linktype": 1
    }
}

Sample Parsing

additional.fields["community_id"] = "2:+p9knfqOqBvpn26oHEVaGpWzdbY="
additional.fields["flowid"] = "259874411021523"
metadata.product_event_type = "alert"
metadata.product_name = "Security Onion"
metadata.vendor_name = "Rapid7"
network.application_protocol_version = "failed"
network.ip_protocol = "TCP"
observer.hostname = "hostname"
principal.ip = "10.0.0.1"
principal.port = 1099
security_result.action_details = "allowed"
security_result.action = "ALLOW"
security_result.category_details = "Potentially Bad Traffic"
security_result.rule_id = "2034748"
security_result.rule_name = "Rulename"
security_result.rule_version = "ET POLICY Serialized Java Payload via RMI Response"
security_result.severity_details = "2"
target.ip = "10.0.0.2"
target.port = 39460