Threat Detection: Suricata IDS Integration

Overview#

Argus integrates with Suricata, the high-performance open-source Intrusion Detection and Prevention System (IDS/IPS) maintained by the Open Information Security Foundation (OISF). EVE JSON alert logs produced by Suricata are ingested directly into Argus, normalised into structured alert records, and made available for cross-correlation with threat intelligence, MISP indicators, and Sigma rule matches. This closes the loop between network-level detection and the broader operational intelligence picture.

Key Features#

EVE JSON Batch Ingestion#

The

ingestEveBatch

operation accepts raw EVE JSON log lines (one JSON object per element) and processes them as a pipeline: parse → normalise → persist → audit. The

parse_eve_json_batch

adapter handles Suricata's EVE format including

alert

dns

http

tls

, and

fileinfo

event types. Each alert is normalised into a structured Argus record capturing signature ID, rule name, severity, source/destination IP and port, protocol, and alert category.

API Polling#

For deployments where Suricata exposes a local REST API, the

SuricataClient

polls the API endpoint to retrieve new alerts on a configured interval. This supports push-based (log file ingestion) and pull-based (API polling) deployment patterns, accommodating diverse sensor architecture layouts from centralised log aggregators to edge-deployed sensors.

Alert Inventory and Cross-Correlation#

Query alert inventory filtered by signature ID, severity, source IP, or time range. Suricata alerts can be cross-referenced against MISP indicators and Sigma rules to identify where network-level IDS signals confirm or extend threat intelligence feeds. Rule-name-based deduplication prevents alert floods from a single repeated signature overwhelming analyst queues.

Clearance-Aware Alert Access#

Alert records carry

secrecy_level

tags allowing multi-classification network monitoring. Traffic from classified network segments can be ingested with higher classification labels, restricting visibility to cleared analysts. This supports NATO network monitoring scenarios where sensor telemetry from SECRET-level segments must be isolated from UNCLASSIFIED analyst views.

EDF Audit Trail#

Every EVE batch ingestion generates an interop ingest audit record. This satisfies EDF Golden Rule 15 requirements for logging all data inflows into the platform, including network sensor telemetry.

Use Cases#

DMZ Monitoring: Ingest Suricata alerts from perimeter sensors and correlate hits against MISP threat actor IOCs to identify targeted intrusion attempts in near-real-time.
Threat Hunting: Query accumulated Suricata alert history to hunt for low-and-slow lateral movement patterns that signature-based alerting missed in real time.
Malware C2 Detection: Feed Suricata ET Pro or Emerging Threats Suricata rules covering known C2 communication patterns and surface confirmed C2 activity directly in the Argus incident timeline.
NATO Sensor Grid: Aggregate alerts from multiple Suricata sensors deployed at different network trust levels and enforce classification-based access control across the combined dataset.

Integration#

Available via GraphQL with queries for alert listing and statistics, and mutations for EVE batch ingestion and API polling. All operations require authentication and organisation scoping.

Compatible with Suricata 6.x and 7.x EVE JSON format. Works alongside Sigma (for detection rule management), MISP (for IOC cross-referencing), and the SIEM Connector domain (for forwarding alerts to downstream SIEM platforms).

Last Reviewed: 2026-03-18

Modulemetadata

Gerenderde documentatie