Suricata Integration

ntopng integrates with Suricata for importing both flow metadata (Suricata acts as a sensor) and alerts. Alerts ingestion allows ntopng to complement the built-in traffic analysis engine with the flexible signature-based threats detection capabilities provided by Suricata.

ntopng implements flows and alerts ingestion from Suricata using the Eve JSON format through syslog.

Warning

This is a new feature available in ntopng since version 3.9.

In order to configure Suricata to export flow metadata to ntopng, please install Suricata according to the Suricata Documentation and configure it to use syslog as EVE file type in the suricata.yaml configuration file (this is usually located under /etc/suricata/suricata.yaml or /usr/local/etc/suricata/suricata.yaml):

- eve-log:
    enabled: yes
    filetype: syslog

Flows Export

If you are already processing traffic with ntopng (mirroring the same traffic to Suricata and ntopng), flows export from Suricata is not required as ntopng is already computing flows, in addition to other traffic analysis activities that are not always possible when collecting flows from Suricata rather then looking at raw traffic.

Instead, if you want to use Suricata as sensor for exporting flow metadata to ntopng, you also need to enable netflow in the suricata.yaml configuration file:

- netflow

Syslog Configuration

Please check the Syslog Configuration paragraph in the Syslog Log Ingestion section for instructions to configure rsyslog.

Run Suricata

At this point you should be able to run Suricata to start exporting alerts (and flows) through syslog:

suricata -c /etc/suricata/suricata.yaml -i eth1

ntopng Configuration

As last step, you should configure ntopng to ingest syslog messages by adding the Syslog interface syslog://<ip>:<port> to the configuration file to listen for connections to the specified <ip> and <port>.

If you are using Suricata for exporting flow metadata, and you enabled netflow in in the suricata.yaml configuration file, you do not need to configure additional interfaces in ntopng. Otherwise you need to also configure the interface (e.g. eth1) with live traffic.

Example:

-i=syslog://127.0.0.1:5140
-i=eth1

Please remember to restart the ntopng service to apply the change.

If you configured two interfaces in ntopng, the syslog interface for ingesting alerts, and the network interface for processing traffic, you need to instruct ntopng to bind alerts to traffic. This can be achieved by configure the syslog interface as companion interface for the network interface through the interface configuration page in the ntopng Web GUI.

  1. Go to Interfaces -> (interface) -> Settings and select Mirrored Traffic.
  2. Go to Interfaces -> (interface) -> Settings and select the syslog interface in the Companion Interface dropdown.
  3. Save

At this point the packet interface should be able to process and show the alerts generated by Suricata and let you drill down to traffic and packets.

Suricata Acceleration

Read the IDS Acceleration section to learn how to accelerate the Suricata performance with both PF_RING and ntopng.