Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;; This plugin takes logs from suricata's file engine
- ;;enabled in suricata like
- ;;- file-store:
- ;; enabled: no # set to yes to enable
- ;; log-dir: files # directory to store the files
- ;; force-magic: yes # force logging magic on all stored files
- ;; force-md5: yes # force logging of md5 checksums
- ;; #waldo: file.waldo # waldo file to store the file_id across runs
- ;;- file-log:
- ;; enabled: yes
- ;; filename: files-json.log
- ;; append: no
- ;; #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- ;; force-magic: yes # force logging magic on all logged files
- ;; force-md5: yes # force logging of md5 checksums
- [DEFAULT]
- plugin_id=90010
- [config]
- type=detector
- enable=yes
- source=log
- location=/var/log/suricata/files-json.log
- # create log file if it does not exists,
- # otherwise stop processing this plugin
- create_file=false
- process=
- start=no
- stop=no
- startup=
- shutdown=
- [AD-exe-nomd5]
- event_type=event
- precheck="PE32"
- regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\"."
- #date={normalize_date($date)}
- device="192.168.100.71"
- src_ip={$srcip}
- dst_ip={$dstip}
- src_port={$srcport}
- dst_port={$dstport}
- filename={$filename}
- userdata2={$uri}
- userdata3={$host}
- plugin_sid=1
- [AA-exe-md5]
- event_type=event
- precheck="PE32"
- regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\".*\"md5\"\:\s+\"(?P<md5>.*?)\"."
- #date={normalize_date($date)}
- device="192.168.100.71"
- src_ip={$srcip}
- dst_ip={$dstip}
- src_port={$srcport}
- dst_port={$dstport}
- filename={$filename}
- userdata1={$md5}
- userdata2={$uri}
- userdata3={$host}
- plugin_sid=1
- #yes, I could use translate but there are a lot a variants and the regex is the same so I use precheck....
- [AC-pdf-nomd5]
- event_type=event
- precheck="PDF document"
- regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+)\,.*\"dp\"\:\s+(?P<dstport>\d+)\,.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\"."
- #date={normalize_date($date)}
- device="192.168.100.71"
- src_ip={$srcip}
- dst_ip={$dstip}
- src_port={$srcport}
- dst_port={$dstport}
- filename={$filename}
- userdata2={$uri}
- userdata3={$host}
- plugin_sid=2
- [AB-pdf-md5]
- event_type=event
- precheck="PDF document"
- regexp="\"timestamp\"\:\s+\"(?P<date>.*?)\..*?\".*\"srcip\"\:\s+\"(?P<srcip>.*?)\".*\"dstip\"\:\s+\"(?P<dstip>.*?)\".*\"sp\"\:\s+(?P<srcport>\d+),.*\"dp\"\:\s+(?P<dstport>\d+),.*\"http_uri\"\:\s+\"(?P<uri>.*?)\".*\"http_host\"\:\s+\"(?P<host>.*?)\".*\"filename\"\:\s+\"(?P<filename>.*?)\".*\"md5\"\:\s+\"(?P<md5>.*?)\"."
- #date={normalize_date($date)}
- device="192.168.100.71"
- src_ip={$srcip}
- dst_ip={$dstip}
- src_port={$srcport}
- dst_port={$dstport}
- filename={$filename}
- userdata1={$md5}
- userdata2={$uri}
- userdata3={$host}
- plugin_sid=2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement