;; This plugin takes logs from suricata's file engine;;enabled in suricata li

1. ;; This plugin takes logs from suricata's file engine
2. ;;enabled in suricata like
3. ;;- file-store:
4. ;; enabled: no # set to yes to enable
5. ;; log-dir: files # directory to store the files
6. ;; force-magic: yes # force logging magic on all stored files
7. ;; force-md5: yes # force logging of md5 checksums
8. ;; #waldo: file.waldo # waldo file to store the file_id across runs
9. ;;- file-log:
10. ;; enabled: yes
11. ;; filename: files-json.log
12. ;; append: no
13. ;; #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
14. ;; force-magic: yes # force logging magic on all logged files
15. ;; force-md5: yes # force logging of md5 checksums
16.  
17. [DEFAULT]
18. plugin_id=90010
19.  
20. [config]
21. type=detector
22. enable=yes
23.  
24. source=log
25. location=/var/log/suricata/files-json.log
26.  
27. # create log file if it does not exists,
28. # otherwise stop processing this plugin
29. create_file=false
30.  
31. process=
32. start=no
33. stop=no
34. startup=
35. shutdown=
36.  
37.  
38. [AD-exe-nomd5]
39. event_type=event
40. precheck="PE32"
41. regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\"."
42. #date={normalize_date($date)}
43. device="192.168.100.71"
44. src_ip={$srcip}
45. dst_ip={$dstip}
46. src_port={$srcport}
47. dst_port={$dstport}
48. filename={$filename}
49. userdata2={$uri}
50. userdata3={$host}
51. plugin_sid=1
52.  
53. [AA-exe-md5]
54. event_type=event
55. precheck="PE32"
56. regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\".*\"md5\"\:\s+\"(?P<md5>.*?)\"."
57. #date={normalize_date($date)}
58. device="192.168.100.71"
59. src_ip={$srcip}
60. dst_ip={$dstip}
61. src_port={$srcport}
62. dst_port={$dstport}
63. filename={$filename}
64. userdata1={$md5}
65. userdata2={$uri}
66. userdata3={$host}
67. plugin_sid=1
68.  
69. #yes, I could use translate but there are a lot a variants and the regex is the same so I use precheck....
70.  
71. [AC-pdf-nomd5]
72. event_type=event
73. precheck="PDF document"
74. regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+)\,.*\"dp\"\:\s+(?P<dstport>\d+)\,.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\"."
75. #date={normalize_date($date)}
76. device="192.168.100.71"
77. src_ip={$srcip}
78. dst_ip={$dstip}
79. src_port={$srcport}
80. dst_port={$dstport}
81. filename={$filename}
82. userdata2={$uri}
83. userdata3={$host}
84. plugin_sid=2
85.  
86. [AB-pdf-md5]
87. event_type=event
88. precheck="PDF document"
89. regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\".*\"md5\"\:\s+\"(?P<md5>.*?)\"."
90. #date={normalize_date($date)}
91. device="192.168.100.71"
92. src_ip={$srcip}
93. dst_ip={$dstip}
94. src_port={$srcport}
95. dst_port={$dstport}
96. filename={$filename}
97. userdata1={$md5}
98. userdata2={$uri}
99. userdata3={$host}
100. plugin_sid=2