Monitor eth0 and eth1 with zeek and suricata

Vagrant/logger_bootstrap.sh

@@ -377,6 +377,11 @@ install_zeek() {
   crudini --set $NODECFG proxy host localhost
 
   # Setup $CPUS numbers of Zeek workers
+  crudini --set $NODECFG worker-eth0 type worker
+  crudini --set $NODECFG worker-eth0 host localhost
+  crudini --set $NODECFG worker-eth0 interface eth0
+  crudini --set $NODECFG worker-eth0 lb_method pf_ring
+  crudini --set $NODECFG worker-eth0 lb_procs "$(nproc)"
   crudini --set $NODECFG worker-eth1 type worker
   crudini --set $NODECFG worker-eth1 host localhost
   crudini --set $NODECFG worker-eth1 interface eth1
@@ -391,7 +396,7 @@ install_zeek() {
   # Configure the Splunk inputs
   mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
-  crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
+  crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype zeek:json
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
@@ -464,12 +469,11 @@ install_suricata() {
   suricata-update enable-source ptresearch/attackdetection
 
   # Configure the Splunk inputs
-  mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
-  crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata index suricata
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
+  crudini --set /opt/splunk/etc/apps/search/local/inputs.conf monitor:///var/log/suricata disabled 0
+  crudini --set /opt/splunk/etc/apps/search/local/props.conf suricata:json TRUNCATE 0
 
   # Update suricata and restart
   suricata-update

Vagrant/resources/splunk_server/logger_dashboard.xml

@@ -69,13 +69,14 @@
       <title>Zeek Network Traffic by Type</title>
       <chart>
         <search>
-          <query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
+          <query>| tstats count where index=zeek by source, _time span=1h prestats=t | timechart span=1h count by source useother=f</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="charting.chart">column</option>
         <option name="charting.chart.stackMode">stacked</option>
         <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
   </row>
@@ -125,16 +126,18 @@
       <table>
         <title>http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html</title>
         <search>
-          <query>index=zeek (dest_port=443 OR dest_port=80)  
-| rename orig_bytes as bytes_out resp_bytes as bytes_in 
-| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip 
-| eval beacon_avg=('beacon_count' / 'total_count') 
-| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out 
-| head 100
-| eval incount=mvcount(bytes_in) 
-| eventstats avg(beacon_count) as overall_average 
-| eval beacon_percentage=('beacon_count' / 'overall_average') 
-| sort - beacon_percentage</query>
+          <query>index=zeek (dest_port=443 OR dest_port=80)  dest_ip!=192.168.0.0/16
+| rename orig_bytes as bytes_out resp_bytes as bytes_in
+| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip
+| eval beacon_avg=('beacon_count' / 'total_count')
+| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
+| eval beacon_avg=('beacon_count' / 'total_count')
+| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
+| eval incount=mvcount(bytes_in)
+| eventstats avg(beacon_count) as overall_average
+| eval beacon_percentage=('beacon_count' / 'overall_average')
+| sort - beacon_percentage
+| fields - incount,overall_average</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
@@ -215,4 +218,4 @@
       </chart>
     </panel>
   </row>
-</dashboard>
+</dashboard>

Vagrant/resources/suricata/suricata.yaml

@@ -124,11 +124,14 @@ logging:
       facility: local5
       format: "[%i] <%d> -- "
 af-packet:
+  - interface: eth0
+    cluster-id: 98
+    cluster-type: cluster_flow
+    defrag: yes
   - interface: eth1
     cluster-id: 99
     cluster-type: cluster_flow
     defrag: yes
-  - interface: default
 pcap-file:
   checksum-checks: auto
 app-layer: