Rapid7 Security Onion¶
About¶
Security Onion is a intrusion detection and network monitoring tool.
Product Details¶
Vendor URL: Rapid7 Security Onion
Product Type: IDS
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: RAPID7_SECURITY_ONION
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
community_id | additional.fields["community_id"] |
flow_id | additional.fields["flowid"] |
Rapid7 | metadata.vendor_name |
Security Onion | metadata.product_name |
event_type | metadata.product_event_type |
proto | network.ip_protocol |
app_proto | network.application_protocol_version |
src_ip | principal.ip |
src_port | principal.port |
alert.action | security_result.action_details |
alert.rule | security_result.rule_name |
alert.signature | security_result.rule_version |
alert.signature_id | security_result.rule_id |
alert.severity | security_result.severity_detail |
alert.category | security_result.category_details |
dest_ip | target.ip |
dest_port | target.port |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all others | GENERIC_EVENT |
Log Sample¶
{
"timestamp": "2023-06-21T17:03:08.873496+0000",
"flow_id": 259874411021523,
"in_iface": "bond0",
"event_type": "alert",
"src_ip": "10.0.0.1",
"src_port": 1099,
"dest_ip": "10.0.0.2",
"dest_port": 39460,
"proto": "TCP",
"metadata": {
"flowbits": [
"ET.RMIRequest"
]
},
"community_id": "2:+p9knfqOqBvpn26oHEVaGpWzdbY=",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2034748,
"rev": 1,
"signature": "ET POLICY Serialized Java Payload via RMI Response",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"attack_target": [
"Client_and_Server"
],
"created_at": [
"2021_12_17"
],
"deployment": [
"Perimeter"
],
"former_category": [
"POLICY"
],
"signature_severity": [
"Informational"
],
"updated_at": [
"2021_12_17"
]
},
"rule": "Rulename"
},
"app_proto": "failed",
"stream": 0,
"packet": "packetdata===",
"packet_info": {
"linktype": 1
}
}
Sample Parsing¶
additional.fields["community_id"] = "2:+p9knfqOqBvpn26oHEVaGpWzdbY="
additional.fields["flowid"] = "259874411021523"
metadata.product_event_type = "alert"
metadata.product_name = "Security Onion"
metadata.vendor_name = "Rapid7"
network.application_protocol_version = "failed"
network.ip_protocol = "TCP"
observer.hostname = "hostname"
principal.ip = "10.0.0.1"
principal.port = 1099
security_result.action_details = "allowed"
security_result.action = "ALLOW"
security_result.category_details = "Potentially Bad Traffic"
security_result.rule_id = "2034748"
security_result.rule_name = "Rulename"
security_result.rule_version = "ET POLICY Serialized Java Payload via RMI Response"
security_result.severity_details = "2"
target.ip = "10.0.0.2"
target.port = 39460