Suricata IDS

Connect Suricata IDS to Radiant Security to forward intrusion detection alerts for AI triage.

Suricata IDS is an open-source intrusion detection and prevention engine that inspects network traffic for malware, exploit attempts, lateral movement, and policy violations. Connecting Suricata IDS forwards EVE JSON intrusion alerts to Radiant Security through the Radiant Agent over syslog. Radiant uses these alerts to correlate network-layer threats with endpoint and identity telemetry during AI triage, giving analysts the full attack context behind every alert.

Prerequisites

Admin access to the Suricata IDS host
A deployed Radiant Agent reachable from the Suricata IDS host

Add the data connector in Radiant Security

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors, then click + Add Connector.
Search for and select Radiant Agent, then click Data Feeds.
Under Select your data feeds, select Suricata IDS, then click Credentials.
Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g., Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.
Click Add Connector.

Configure Suricata IDS to forward syslog

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Suricata IDS data. If you do not know the port, contact your Customer Success representative.

The steps below configure Suricata to emit EVE logs to the local syslog daemon, then configure rsyslog to forward those messages to the Radiant Agent. For the underlying Suricata options, see the Suricata EVE output documentation.

The example uses the syslog facility local0. If local0 is already in use on the host, replace it with an unused facility in both the Suricata and rsyslog configurations.

Open the Suricata configuration file (typically /etc/suricata/suricata.yaml) and add the following block under the outputs section:

   - eve-log:
       enabled: yes
       filetype: syslog
       facility: local0
       hostname: localhost

Open the rsyslog configuration file (typically /etc/rsyslog.conf) and add a forwarding rule for the chosen facility:

local0.* @<RADIANT_AGENT_IP>:<RADIANT_AGENT_PORT>

3. Replace <RADIANT_AGENT_IP> and <RADIANT_AGENT_PORT> with the IP address and port of the Radiant Agent host.

4. Restart Suricata and rsyslog to apply the changes:

   sudo systemctl restart suricata
   sudo systemctl restart rsyslog

Verify ingestion

After Suricata IDS begins forwarding, confirm alerts and events are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"suricata_ids".
Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousSplunk NextTrend Micro

Last updated 18 days ago

Was this helpful?