Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/security-suricata/generator.yml \
--id suricata-01 \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| flow-tcp | Flow (TCP) | 28.7% | network |
| flow-udp | Flow (UDP) | 17.2% | network |
| dns-query | DNS Query | 14.3% | network |
| dns-answer | DNS Answer | 14.3% | network |
| http | HTTP | 10.0% | network, web |
| tls | TLS | 7.2% | network |
| fileinfo | File Info | 2.2% | network |
| ssh | SSH | 1.4% | network |
| alert-policy | Alert (Policy) | 1.4% | intrusion_detection |
| anomaly | Anomaly | 1.1% | network |
| alert-threat | Alert (Threat) | 0.7% | intrusion_detection |
| smtp | SMTP | 0.7% | network |
| dhcp | DHCP | 0.7% | network |
Realism Features
- Weighted event distribution matching production Suricata deployments
- Correlated flow_id — protocol events push connection metadata; flow events pop correlated records
- DNS query/answer pairing — queries push to shared pool, answers pop correlated responses
- ET Open rule signatures with real SIDs, categories, severity levels, and MITRE ATT&CK metadata
- JA3/JA3S TLS fingerprints from real certificate data for major websites
- Deterministic community_id computed from connection tuple for cross-event correlation
Sample Output
{
"@timestamp": "2026-02-21T14:30:22.123456Z",
"dns": {
"id": "45321",
"question": { "name": "www.google.com", "type": "A" },
"type": "query"
},
"event": {
"category": ["network"],
"dataset": "suricata.eve",
"kind": "event",
"module": "suricata"
},
"network": {
"community_id": "1:fmTf/MbjDMinU9coqCwDUc82LmA=",
"protocol": "dns",
"transport": "udp"
},
"observer": {
"hostname": "suricata-sensor-01",
"product": "Suricata",
"type": "ids"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | suricata-sensor-01 | Suricata sensor hostname |
| interface | eth0 | Network interface name |
| internal_subnet | 192.168.1 | Internal network prefix |
| dns_server_ip | 192.168.1.1 | DNS server IP address |
| agent_id | 7b2c5f18-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Filebeat agent version |
Related Generators
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.
Snort IDS/IPS
Snort IDS/IPS alert output — malware C2 callbacks, web application attacks, network reconnaissance, policy violations, protocol anomalies, and DoS detection across 13 alert classifications.