Pulling Suricata alerts from multiple firewalls into one location

Hello everyone and thanks in advance for any replies and help.

I work for an MSP in the Lancaster PA area and we manage multiple Netgate firewalls. We are looking to roll out Suricata to all of them using Proofpoint’s Emerging Threats rules.

What we are struggling to find is a solution to pull alerts from multiple firewalls into one repository where we can then act on them as well as pair down the alert barrage. Otherwise management of so many would be almost impossible. I’ve talked to Stamus and that doesn’t seem like it will work but they are investigating a way to pull alerts from firewalls into their system. I’ve also looked at Greylog but that doesn’t seem like a great possibility.

What if any are the options for accomplishing this?


I haven’t looked but does suricata send its logs to syslog? You might be able to use a SIEM to parse the logs and create alerts around them.

I’ve seen SIEMs that do this but they usually us ELK or something running on Docker. I haven’t seen anything that just pulls information directly out of a Netgate box unless I’m missing something. I was hoping that Stamus could do this, I’m still waiting for them to get back to me with the results of their experiment.

It looks like Tom uses Greylog but I’m not sure how scalable that is.

Graylog is pretty powerful in that you can create your own parser and create alert rules based on the criteria you are looking for. I’ll admit there is a little learning curve to setting that up.

It can be sent to syslog and then sent to something such as Graylog but unless the client has external ports open for some services Suricata is not really that effective as most traffic is encrypted.

Hi Tom thanks for the reply and the great content! Its been extremely helpful more times than I can count.

I’m a little confused about your response, are you saying the Suricata isn’t a good solution for IDS/IPS? Is there something that would work better or has IPS/IDS been rendered mostly irrelevant by encryption?

Yes, it’s just not as effective as it used to be and people oversell it as a magic solution. Focus on the endpoints, that is where the bad things happen.

Ok that puts things in a different perspective, again thanks for the response.