Zeek-CVE-Enrichment

The Zeek-CVE-Enrichment Zeek package uses an input file named “cve_data.tsv” that contains known CVE information about hosts within an environment, to enrich the suricata_corelight.log and/or the notice.log. The information can come from multiple sources, including a manually created file.

The package works by monitoring every suricata_corelight and notice log entry for CVE alerts.

  1. When a suricata_corelight event is triggered, the script will search the suricata alert metadata for a CVE ID.

    1. If no CVE ID is found in the metadata, it will then search the Suricata signature name for the CVE ID.

  2. When a notice event is triggered, the script will search the message (“msg”) part of the Notice log for a CVE ID.

    1. If no CVE ID is found in the “msg”, the script will search the “note” section of the Notice log event.

  3. If a CVE ID is found in any location, for either log, the script will look up the host IP address in the “cve_data” table.

    1. If the host is found, the CVE ID found in the log is compared to the list of known CVE’s for that host.

      1. If a match is found, the relevant log is enriched with additional information from the table.

As long as the input file is named “cve_data.tsv”, and has a match to a CVE alert in a suricata_corelight.log or notice.log, the log will be enriched with additional data.

Input file (cve_data.tsv)

The input file should contain the following information (if it’s available):

  • IP address (required)

  • Hostname

  • Endpoint information source (required)

  • Endpoint criticality

  • Endpoint Unique ID

  • Customer ID

  • Machine domain

  • OS version

  • CVE list

The following is a sample input file created by this integration, using tab-separated values.

#fields ip      hostname  uid                               cid                              criticality  machine_domain    os_version           source       cve_list
10.21.0.102     DC        fb5946b0422e4da49e4575995fb89060  e29b670f12d342e3bcc7170a288xxxx  Critical     windomain.local   Windows Server 2016  CrowdStrike  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
192.168.1.120   fleet     04a15f26ace249f68c583fd7be70f9db  e29b670f12d342e3bcc7170a288xxxx  High         -                 Ubuntu 20.04         CrowdStrike  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.155   ss2oh     62c850ec617843f8959f1442843bb816  e29b670f12d342e3bcc7170a288xxxx  Unassigned   -                 Ubuntu 20.04         CrowdStrike  CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.12.212  skynet    fae3f73ce1404e0aae1626dbddfc3fe8  e29b670f12d342e3bcc7170a288xxxx  High         -                 Ubuntu 22.04         CrowdStrike  CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.102  DC        34a6b864b61146d6ad051a9d63a5585f  e29b670f12d342e3bcc7170a288xxxx  Critical     windomain.local   Windows Server 2016  CrowdStrike  CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.103  WEF       0bb70f50a9a3470dbc3e09bd6eb18fc4  e29b670f12d342e3bcc7170a288xxxx  Unassigned   windomain.local   Windows Server 2016  CrowdStrike  CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.104  WIN10     23fac76b0e5246f8b8ba22d1bbd6bc04  e29b670f12d342e3bcc7170a288xxxx  High         windomain.local   Windows 10           CrowdStrike  CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391

suricata_corelight log

A typical suricata_corelight.log provides content similar to this example:

  {
    _path: suricata_corelight
    _system_name: Lab-AP200
    _write_ts: 2023-08-01T01:22:20.096550Z
    alert.action: allowed
    alert.category: Attempted Information Leak
    alert.gid: 1
    alert.metadata: [ [-]
      created_at:2023_07_28
      updated_at:2023_07_28
    ]
    alert.rev: 1
    alert.severity: 2
    alert.signature: **CONTROL** curl User-Agent Outbound CVE-2020-12313
    alert.signature_id: 1000000
    community_id: 1:hfVPB4FWl48hOvuIzwyVBvzWBwY=
    flow_id: 11005288195832
    id.orig_h: 192.168.12.212
    id.orig_p: 48086
    id.resp_h: 3.160.22.77
    id.resp_p: 80
    id.vlan: 12
    pcap_cnt: 0
    service: http
    suri_id: Sp5Hxvr0blDf
    ts: 2023-08-01T01:22:20.092276Z
    tx_id: 0
    uid: CUWMCe4TJo8pS41Rnj
  }

If the Zeek package Zeek-CVE-Enrichment is loaded, the suricata_corelight.log and/or the notice.log will be enriched with additional content provided by the integration, similar to this example:

  {
    orig_vulnerable_host.cve: CVE-2020-12313
    orig_vulnerable_host.uid: fae3f73ce1404e0aae1626dbddfc3fe8
    orig_vulnerable_host.cid: e29b670f12d342e3bcc7170a288a0xxx
    orig_vulnerable_host.hostname: skynet
    orig_vulnerable_host.os_version: Ubuntu 22.04
    orig_vulnerable_host.source: CrowdStrike
    orig_vulnerable_host.criticality: High
  }

Note

Field names begin with “orig” or “resp” to identify which host is referenced.