Fix correlation of suricata alerts for dns flows

2026-04-30 07:59:35 +00:00 · 2025-03-18 08:59:46 +01:00 · 2025-03-18 08:59:46 +01:00 · b1fb4322f9
commit b1fb4322f9
parent 8decdd3147
5 changed files with 37 additions and 39 deletions
--- a/scripts/lua/modules/check_definitions/syslog/suricata.lua
+++ b/scripts/lua/modules/check_definitions/syslog/suricata.lua
@ -263,17 +263,19 @@ function syslog_module.hooks.handleEvent(syslog_conf, message, host, priority)
      parseNetflowMetadata(event.netflow, flow)
      num_collected_flows = num_collected_flows + 1

+      if event.http ~= nil then
+         parseHTTPMetadata(event.http, flow)
+      elseif event.dns ~= nil then
+         parseDNSMetadata(event.dns, flow) 
+      elseif event.tls ~= nil then
+         parseTLSMetadata(event.tls, flow) 
+      end
+
+   --[[
   elseif event.event_type == "http" and event.http ~= nil then
      parseHTTPMetadata(event.http, flow)
      num_collected_flows = num_collected_flows + 1

-   elseif event.event_type == "fileinfo" then
-      if event.app_proto == "http" and event.http ~= nil then
-         parseHTTPMetadata(event.http, flow)
-      end
-      parseFileInfoMetadata(event.fileinfo, flow)
-      num_collected_flows = num_collected_flows + 1
-
   elseif event.event_type == "dns" and event.dns ~= nil then
      parseDNSMetadata(event.dns, flow) 
      num_collected_flows = num_collected_flows + 1
@ -281,6 +283,14 @@ function syslog_module.hooks.handleEvent(syslog_conf, message, host, priority)
   elseif event.event_type == "tls" and event.tls ~= nil then
      parseTLSMetadata(event.tls, flow) 
      num_collected_flows = num_collected_flows + 1
+   --]]
+
+   elseif event.event_type == "fileinfo" then
+      if event.app_proto == "http" and event.http ~= nil then
+         parseHTTPMetadata(event.http, flow)
+      end
+      parseFileInfoMetadata(event.fileinfo, flow)
+      num_collected_flows = num_collected_flows + 1

   elseif event.event_type == "stats" and event.stats ~= nil then
      parseStats(event.stats)