Skip to content

Instantly share code, notes, and snippets.

@regit

regit/Suricata dashboard

Last active August 29, 2020 20:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save regit/8849943 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save regit/8849943 to your computer and use it in GitHub Desktop.
Download ZIP
A sample Kibana dashboard using Suricata JSON output.
Raw
Suricata dashboard
{
"title": "Suricata EVE Dashboard",
"services": {
"query": {
"list": {
"0": {
"query": "event_type:http",
"alias": "HTTP",
"color": "#7EB26D",
"id": 0,
"pin": true,
"type": "lucene",
"enable": true
},
"1": {
"id": 1,
"color": "#EAB839",
"alias": "Alert",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:alert"
},
"2": {
"id": 2,
"color": "#6ED0E0",
"alias": "DNS",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:dns"
},
"3": {
"id": 3,
"color": "#EF843C",
"alias": "TLS",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:tls"
},
"4": {
"id": 4,
"color": "#E24D42",
"alias": "File",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:file"
},
"5": {
"id": 5,
"color": "#1F78C1",
"alias": "US Issuers",
"pin": true,
"type": "lucene",
"enable": true,
"query": "tls.issuerdn:\"C=US\""
},
"6": {
"id": 6,
"color": "#BA43A9",
"alias": "French Issuers",
"pin": true,
"type": "lucene",
"enable": true,
"query": "tls.issuerdn:\"C=FR\""
},
"7": {
"id": 7,
"color": "#705DA0",
"alias": "Other Issuers",
"pin": true,
"type": "lucene",
"enable": true,
"query": "NOT tls.issuerdn:\"C=FR\" AND NOT tls.issuerdn:\"C=US\" AND NOT tls.issuerdn.raw:\"O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA\" AND tls.issuerdn:*"
},
"8": {
"id": 8,
"color": "#B7DBAB",
"alias": "Suricata event",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:*"
},
"9": {
"id": 9,
"color": "#3F6833",
"alias": "SSH",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:ssh"
},
"10": {
"id": 10,
"color": "#EA6460",
"alias": "Libssh connections",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:ssh AND ssh.client.software_version:libssh-"
},
"11": {
"id": 11,
"color": "#7EB26D",
"alias": "Libssh2 connections",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:ssh AND ssh.client.software_version.raw:libssh2*"
},
"12": {
"id": 12,
"color": "#5195CE",
"alias": "Non libssh connections",
"pin": true,
"type": "lucene",
"enable": true,
"query": "event_type:ssh AND NOT ssh.client.software_version.raw:libssh*"
}
},
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12
]
},
"filter": {
"list": {
"0": {
"type": "time",
"field": "@timestamp",
"from": "now-24h",
"to": "now",
"mandate": "must",
"active": true,
"alias": "",
"id": 0
}
},
"ids": [
0
]
}
},
"rows": [
{
"title": "Time Filter",
"height": "100px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"span": 12,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
0,
1,
2,
3,
4,
9
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": false,
"fill": 0,
"linewidth": 3,
"points": false,
"pointradius": 5,
"bars": true,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "Timeline"
}
],
"notice": false
},
{
"title": "Global stats",
"height": "300px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "map",
"loadingEditor": false,
"map": "world",
"colors": [
"#A0E2E2",
"#265656"
],
"size": 100,
"exclude": [],
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0,
1,
2,
3,
4,
9
]
},
"field": "geoip.country_code2",
"title": "Source IPs"
},
{
"error": false,
"span": 3,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "event_type",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "vertical",
"chart": "pie",
"counter_pos": "none",
"spyable": true,
"queries": {
"mode": "all",
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Event Type"
},
{
"error": false,
"span": 2,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "host.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
8
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Suricata"
},
{
"error": false,
"span": 2,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "file.magic.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "none",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
4
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "File Type"
},
{
"span": 1,
"editable": true,
"type": "trends",
"loadingEditor": false,
"ago": "1d",
"arrangement": "vertical",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0,
1,
2,
3,
4
]
},
"style": {
"font-size": "14pt"
},
"title": "Trends",
"reverse": false
}
],
"notice": false
},
{
"title": "Alerts",
"height": "250px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "bettermap",
"loadingEditor": false,
"field": "geoip.coordinates",
"size": 1000,
"spyable": true,
"tooltip": "_id",
"queries": {
"mode": "selected",
"ids": [
1
]
},
"title": "Sources Alerts"
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "alert.signature.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "bar",
"counter_pos": "none",
"spyable": true,
"queries": {
"mode": "all",
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Alerts"
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "alert.category.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
1
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Alert Categories"
}
],
"notice": false
},
{
"title": "HTTP",
"height": "150px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 3,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "http.hostname.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "HTTP hostname"
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "http.http_user_agent.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "HTTP user agents"
},
{
"span": 5,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "total",
"time_field": "@timestamp",
"value_field": "http.length",
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
0
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": true,
"fill": 2,
"linewidth": 2,
"points": false,
"pointradius": 5,
"bars": false,
"stack": false,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "HTTP length"
}
],
"notice": false
},
{
"title": "TLS",
"height": "300px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "column",
"loadingEditor": false,
"panels": [
{
"loading": false,
"error": false,
"sizeable": false,
"draggable": false,
"removable": false,
"span": 10,
"height": "150px",
"editable": true,
"type": "terms",
"tmode": "terms",
"size": 7,
"field": "tls.subject.raw",
"order": "count",
"chart": "bar",
"counter_pos": "none",
"other": true,
"exclude": [],
"missing": false,
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
3
]
},
"tstat": "total",
"valuefield": "",
"title": "TLS Subjects"
},
{
"loading": false,
"sizeable": false,
"draggable": false,
"removable": false,
"span": 10,
"height": "150px",
"editable": true,
"type": "sparklines",
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"interval": "3h",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
5,
6,
7
]
},
"title": "Evolution over time"
}
],
"title": "TLS"
},
{
"span": 4,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
5,
6,
7
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": false,
"fill": 0,
"linewidth": 3,
"points": false,
"pointradius": 5,
"bars": true,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "TLS Issuer countries"
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "tls.version.raw",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
3
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "TLS Versions"
}
],
"notice": false
},
{
"title": "SSH",
"height": "150px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "ssh.client.software_version.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "bar",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
9
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "SSH client version"
},
{
"error": false,
"span": 3,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "ssh.server.software_version.raw",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
9
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "SSH server version"
},
{
"span": 5,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
10,
11,
12
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": true,
"fill": 2,
"linewidth": 2,
"points": false,
"pointradius": 5,
"bars": false,
"stack": false,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "Client family"
}
],
"notice": false
},
{
"title": "DNS",
"height": "250px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 2,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "dns.rrname.raw",
"exclude": [
"twitter",
" google"
],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
2
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "DNS domain"
},
{
"span": 3,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "mean",
"time_field": "@timestamp",
"value_field": "dns.ttl",
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
2
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": true,
"fill": 0,
"linewidth": 2,
"points": false,
"pointradius": 5,
"bars": false,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "DNS ttl",
"scaleSeconds": false
},
{
"error": false,
"span": 2,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "dns.rrtype.raw",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
2
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "DNS query type"
},
{
"span": 4,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
2
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": true,
"resolution": 100,
"interval": "10m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": true,
"fill": 0,
"linewidth": 2,
"points": false,
"pointradius": 5,
"bars": false,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "DNS requests"
}
],
"notice": false
},
{
"title": "Raw data",
"height": "150px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "table",
"size": 100,
"pages": 5,
"offset": 0,
"sort": [
"@timestamp",
"desc"
],
"style": {
"font-size": "9pt"
},
"overflow": "min-height",
"fields": [
"@timestamp",
"host",
"geoip.country_name",
"event_type",
"src_ip",
"dest_ip",
"src_port",
"dest_port",
"alert.signature",
"alert.signature_id",
"dns.rrname",
"dns.rdata"
],
"highlight": [],
"sortable": true,
"header": true,
"paging": true,
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
8
]
},
"field_list": false,
"status": "Stable",
"trimFactor": 300,
"normTimes": true,
"title": "Documents",
"all_fields": false,
"localTime": false,
"timeField": "@timestamp"
}
],
"notice": false
}
],
"editable": true,
"index": {
"interval": "day",
"pattern": "[logstash-]YYYY.MM.DD",
"default": "_all",
"warm_fields": true
},
"style": "light",
"failover": false,
"panel_hints": true,
"loader": {
"save_gist": false,
"save_elasticsearch": true,
"save_local": true,
"save_default": true,
"save_temp": true,
"save_temp_ttl_enable": true,
"save_temp_ttl": "30d",
"load_gist": true,
"load_elasticsearch": true,
"load_elasticsearch_size": 20,
"load_local": true,
"hide": false
},
"pulldowns": [
{
"type": "query",
"collapse": true,
"notice": false,
"query": "*",
"pinned": true,
"history": [
"event_type:ssh AND NOT ssh.client.software_version.raw:libssh*",
"event_type:ssh AND ssh.client.software_version.raw:libssh2*",
"event_type:ssh AND ssh.client.software_version:libssh-",
"event_type:ssh",
"event_type:*",
"NOT tls.issuerdn:\"C=FR\" AND NOT tls.issuerdn:\"C=US\" AND NOT tls.issuerdn.raw:\"O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA\" AND tls.issuerdn:*",
"tls.issuerdn:\"C=FR\"",
"tls.issuerdn:\"C=US\"",
"event_type:file",
"event_type:tls"
],
"remember": 10,
"enable": true
},
{
"type": "filtering",
"collapse": true,
"notice": false,
"enable": true
}
],
"nav": [
{
"type": "timepicker",
"collapse": false,
"notice": false,
"status": "Stable",
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
],
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"timefield": "@timestamp",
"enable": true,
"now": true,
"filter_id": 0
}
],
"refresh": "1m"
}
@rabinnh
Copy link

rabinnh commented Oct 19, 2014

Thanks for the dashboard, it's awesome. One bug, though. Line 49:
"query": "event_type:file"

Won't work. It needs to be:

"query": "event_type:fileinfo"

With that one change the File Type panel works great.

@komivitch
Copy link

komivitch commented Jan 6, 2017

Hello,
Please, Do you have this dashboard template for a new version of kibana? (kibana 5.0 and more)
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment