Dear all,
As part of the testing of the IETF draft IDMEFv2 (Incident Detection Message Exchange Format) standard, a universal security format to exchange alerts between any security tools (Cyber and Physical) and managers (SIEMs), we have developed an IDMEFv2 connector for Suricata. The challenge is to define a single format for any kind of incident: cyber-security, physical security, performance issues and even natural hazards.
Currently, this connector supports the following tools:
-
Clamav: Anti-virus
-
Suricata: NIDS
-
Wazuh : HIDS
-
Zabbix: Performance monitoring
-
ZoneMinder: CCTV – Motion detection
It is available on the IDMEFv2 GitHub repository ( GitHub - IDMEFv2/idmefv2-connectors: IDMEFv2 connectors for various probes and managers )
This connector allows you to connect Suricata to Concerto SIEM (a fork of Prelude OSS), the first IDMEFv2-compatible SIEM ( GitHub - IDMEFv2/Concerto-SIEM ).
Please feel free to download and test it and report any issues or remarks/comments in the GitHub. We are very interested by Suricata users feedback to tune our connector but also the IDMEFv2 format.
For more information, visit the IDMEFv2 website: https://www.idmefv2.org and subscribe to the IDMEFv2mailing list: FreeLists / IDMEFv2 Task Force
The development of this connector was carried out within the framework of the European research project Safe4Soc (Standard Alert Format Exchange for SOCs) (https://safe4soc.eu). The project SAFE4SOC, funded under Grant Agreement No. 101145846, is supported by the European Cybersecurity Competence Centre (ECCC).)
Best regards,