API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 24th, 2021
568
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JSON 11.60 KB | None | 0 0
raw download clone embed print report
  1. # Suricata's flow_id example:
  2. # correlate all Suricata events (flow,protocol, anomaly and/or alert logs)
  3. # from the same flow by Suricata's "flow_id"
  4. # In the example here we have (no alerts, but we produce the logs regardless)
  5. # 3 x HTTP protocol logs
  6. # 2 x File transaction logs
  7. # 1 x flow log
  8.  
  9. #FLOW - flow_id==1811369704832308
  10.  
  11. jq 'select(.flow_id==1811369704832308)' logs/eve.json
  12.  
  13. # HTTP protocol log as part of the flow
  14. {
  15.   "timestamp": "2021-02-08T16:59:12.847769+0100",
  16.   "flow_id": 1811369704832308,
  17.   "pcap_cnt": 2325,
  18.   "event_type": "http",
  19.   "src_ip": "10.2.8.101",
  20.   "src_port": 49732,
  21.   "dest_ip": "45.124.85.55",
  22.   "dest_port": 80,
  23.   "proto": "TCP",
  24.   "tx_id": 0,
  25.   "http": {
  26.     "hostname": "tonmatdoanminh.com",
  27.     "url": "/uninviting.php",
  28.     "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
  29.     "http_content_type": "text/html",
  30.     "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  31.     "accept_encoding": "gzip, deflate",
  32.     "accept_language": "en",
  33.     "connection": "keep-alive",
  34.     "content_encoding": "gzip",
  35.     "content_length": "423",
  36.     "content_type": "text/html; charset=UTF-8",
  37.     "date": "Mon, 08 Feb 2021 15:59:13 GMT",
  38.     "server": "nginx",
  39.     "vary": "Accept-Encoding,User-Agent",
  40.     "http_method": "GET",
  41.     "protocol": "HTTP/1.1",
  42.     "status": 200,
  43.     "length": 423,
  44.     "request_headers": [
  45.       {
  46.         "name": "Host",
  47.         "value": "tonmatdoanminh.com"
  48.       },
  49.       {
  50.         "name": "Connection",
  51.         "value": "keep-alive"
  52.       },
  53.       {
  54.         "name": "Upgrade-Insecure-Requests",
  55.         "value": "1"
  56.       },
  57.       {
  58.         "name": "User-Agent",
  59.         "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
  60.       },
  61.       {
  62.         "name": "Accept",
  63.         "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
  64.       },
  65.       {
  66.         "name": "Accept-Encoding",
  67.         "value": "gzip, deflate"
  68.       },
  69.       {
  70.         "name": "Accept-Language",
  71.         "value": "en"
  72.       }
  73.     ],
  74.     "response_headers": [
  75.       {
  76.         "name": "Server",
  77.         "value": "nginx"
  78.       },
  79.       {
  80.         "name": "Date",
  81.         "value": "Mon, 08 Feb 2021 15:59:13 GMT"
  82.       },
  83.       {
  84.         "name": "Content-Type",
  85.         "value": "text/html; charset=UTF-8"
  86.       },
  87.       {
  88.         "name": "Content-Length",
  89.         "value": "423"
  90.       },
  91.       {
  92.         "name": "Connection",
  93.         "value": "keep-alive"
  94.       },
  95.       {
  96.         "name": "Vary",
  97.         "value": "Accept-Encoding,User-Agent"
  98.       },
  99.       {
  100.         "name": "Content-Encoding",
  101.         "value": "gzip"
  102.       }
  103.     ]
  104.   }
  105. }
  106.  
  107. # File transaction log as part of the flow 1811369704832308
  108.  
  109. {
  110.   "timestamp": "2021-02-08T16:59:12.847769+0100",
  111.   "flow_id": 1811369704832308,
  112.   "pcap_cnt": 2325,
  113.   "event_type": "fileinfo",
  114.   "src_ip": "45.124.85.55",
  115.   "src_port": 80,
  116.   "dest_ip": "10.2.8.101",
  117.   "dest_port": 49732,
  118.   "proto": "TCP",
  119.   "http": {
  120.     "hostname": "tonmatdoanminh.com",
  121.     "url": "/uninviting.php",
  122.     "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
  123.     "http_content_type": "text/html",
  124.     "http_method": "GET",
  125.     "protocol": "HTTP/1.1",
  126.     "status": 200,
  127.     "length": 423
  128.   },
  129.   "app_proto": "http",
  130.   "fileinfo": {
  131.     "filename": "/uninviting.php",
  132.     "sid": [],
  133.     "magic": "HTML document, ASCII text",
  134.     "gaps": false,
  135.     "state": "CLOSED",
  136.     "sha256": "2777c710350668010542846968025d642d40984fa87ad21b3b175c0d2f7e0b31",
  137.     "stored": false,
  138.     "size": 754,
  139.     "tx_id": 0
  140.   }
  141. }
  142.  
  143. # second HTTP protocol log as part of the flow 1811369704832308
  144.  
  145. {
  146.   "timestamp": "2021-02-08T16:59:18.369971+0100",
  147.   "flow_id": 1811369704832308,
  148.   "pcap_cnt": 2994,
  149.   "event_type": "http",
  150.   "src_ip": "10.2.8.101",
  151.   "src_port": 49732,
  152.   "dest_ip": "45.124.85.55",
  153.   "dest_port": 80,
  154.   "proto": "TCP",
  155.   "tx_id": 1,
  156.   "http": {
  157.     "hostname": "tonmatdoanminh.com",
  158.     "url": "/uninviting.php",
  159.     "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
  160.     "http_content_type": "text/html",
  161.     "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  162.     "accept_encoding": "gzip, deflate",
  163.     "accept_language": "en",
  164.     "cache_control": "max-age=0",
  165.     "cookie": "d=0; n=UTC",
  166.     "connection": "keep-alive",
  167.     "content_encoding": "gzip",
  168.     "content_type": "text/html; charset=UTF-8",
  169.     "date": "Mon, 08 Feb 2021 15:59:17 GMT",
  170.     "server": "nginx",
  171.     "transfer_encoding": "chunked",
  172.     "vary": "Accept-Encoding,User-Agent",
  173.     "http_refer": "http://tonmatdoanminh.com/uninviting.php",
  174.     "http_method": "GET",
  175.     "protocol": "HTTP/1.1",
  176.     "status": 200,
  177.     "length": 567743,
  178.     "request_headers": [
  179.       {
  180.         "name": "Host",
  181.         "value": "tonmatdoanminh.com"
  182.       },
  183.       {
  184.         "name": "Connection",
  185.         "value": "keep-alive"
  186.       },
  187.       {
  188.         "name": "Cache-Control",
  189.         "value": "max-age=0"
  190.       },
  191.       {
  192.         "name": "Upgrade-Insecure-Requests",
  193.         "value": "1"
  194.       },
  195.       {
  196.         "name": "User-Agent",
  197.         "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
  198.       },
  199.       {
  200.         "name": "Accept",
  201.         "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
  202.       },
  203.       {
  204.         "name": "Referer",
  205.         "value": "http://tonmatdoanminh.com/uninviting.php"
  206.       },
  207.       {
  208.         "name": "Accept-Encoding",
  209.         "value": "gzip, deflate"
  210.       },
  211.       {
  212.         "name": "Accept-Language",
  213.         "value": "en"
  214.       },
  215.       {
  216.         "name": "Cookie",
  217.         "value": "d=0; n=UTC"
  218.       }
  219.     ],
  220.     "response_headers": [
  221.       {
  222.         "name": "Server",
  223.         "value": "nginx"
  224.       },
  225.       {
  226.         "name": "Date",
  227.         "value": "Mon, 08 Feb 2021 15:59:17 GMT"
  228.       },
  229.       {
  230.         "name": "Content-Type",
  231.         "value": "text/html; charset=UTF-8"
  232.       },
  233.       {
  234.         "name": "Transfer-Encoding",
  235.         "value": "chunked"
  236.       },
  237.       {
  238.         "name": "Connection",
  239.         "value": "keep-alive"
  240.       },
  241.       {
  242.         "name": "Vary",
  243.         "value": "Accept-Encoding,User-Agent"
  244.       },
  245.       {
  246.         "name": "Content-Encoding",
  247.         "value": "gzip"
  248.       }
  249.     ]
  250.   }
  251. }
  252.  
  253. # second file transaction protocol log as part of the flow 1811369704832308
  254.  
  255. {
  256.   "timestamp": "2021-02-08T16:59:18.369971+0100",
  257.   "flow_id": 1811369704832308,
  258.   "pcap_cnt": 2994,
  259.   "event_type": "fileinfo",
  260.   "src_ip": "45.124.85.55",
  261.   "src_port": 80,
  262.   "dest_ip": "10.2.8.101",
  263.   "dest_port": 49732,
  264.   "proto": "TCP",
  265.   "http": {
  266.     "hostname": "tonmatdoanminh.com",
  267.     "url": "/uninviting.php",
  268.     "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
  269.     "http_content_type": "text/html",
  270.     "http_refer": "http://tonmatdoanminh.com/uninviting.php",
  271.     "http_method": "GET",
  272.     "protocol": "HTTP/1.1",
  273.     "status": 200,
  274.     "length": 567743
  275.   },
  276.   "app_proto": "http",
  277.   "fileinfo": {
  278.     "filename": "/uninviting.php",
  279.     "sid": [],
  280.     "magic": "HTML document, ASCII text, with very long lines",
  281.     "gaps": false,
  282.     "state": "CLOSED",
  283.     "sha256": "858aac988e85075348f32e4750f17bf5c16e579fff258d3def9f23563e89372d",
  284.     "stored": false,
  285.     "size": 1097546,
  286.     "tx_id": 1
  287.   }
  288. }
  289.  
  290. # Third HTTP protocol log as part of the flow 1811369704832308
  291.  
  292. {
  293.   "timestamp": "2021-02-08T16:59:19.454434+0100",
  294.   "flow_id": 1811369704832308,
  295.   "pcap_cnt": 3030,
  296.   "event_type": "http",
  297.   "src_ip": "10.2.8.101",
  298.   "src_port": 49732,
  299.   "dest_ip": "45.124.85.55",
  300.   "dest_port": 80,
  301.   "proto": "TCP",
  302.   "tx_id": 2,
  303.   "http": {
  304.     "hostname": "tonmatdoanminh.com",
  305.     "url": "/favicon.ico",
  306.     "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
  307.     "http_content_type": "image/vnd.microsoft.icon",
  308.     "accept": "image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8",
  309.     "accept_encoding": "gzip, deflate",
  310.     "accept_language": "en",
  311.     "cache_control": "no-cache",
  312.     "cookie": "d=0; n=UTC",
  313.     "pragma": "no-cache",
  314.     "connection": "keep-alive",
  315.     "content_length": "0",
  316.     "content_type": "image/vnd.microsoft.icon",
  317.     "date": "Mon, 08 Feb 2021 15:59:20 GMT",
  318.     "server": "nginx",
  319.     "vary": "User-Agent",
  320.     "http_refer": "http://tonmatdoanminh.com/uninviting.php",
  321.     "http_method": "GET",
  322.     "protocol": "HTTP/1.1",
  323.     "status": 200,
  324.     "length": 0,
  325.     "request_headers": [
  326.       {
  327.         "name": "Host",
  328.         "value": "tonmatdoanminh.com"
  329.       },
  330.       {
  331.         "name": "Connection",
  332.         "value": "keep-alive"
  333.       },
  334.       {
  335.         "name": "Pragma",
  336.         "value": "no-cache"
  337.       },
  338.       {
  339.         "name": "Cache-Control",
  340.         "value": "no-cache"
  341.       },
  342.       {
  343.         "name": "User-Agent",
  344.         "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
  345.       },
  346.       {
  347.         "name": "Accept",
  348.         "value": "image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"
  349.       },
  350.       {
  351.         "name": "Referer",
  352.         "value": "http://tonmatdoanminh.com/uninviting.php"
  353.       },
  354.       {
  355.         "name": "Accept-Encoding",
  356.         "value": "gzip, deflate"
  357.       },
  358.       {
  359.         "name": "Accept-Language",
  360.         "value": "en"
  361.       },
  362.       {
  363.         "name": "Cookie",
  364.         "value": "d=0; n=UTC"
  365.       }
  366.     ],
  367.     "response_headers": [
  368.       {
  369.         "name": "Server",
  370.         "value": "nginx"
  371.       },
  372.       {
  373.         "name": "Date",
  374.         "value": "Mon, 08 Feb 2021 15:59:20 GMT"
  375.       },
  376.       {
  377.         "name": "Content-Type",
  378.         "value": "image/vnd.microsoft.icon"
  379.       },
  380.       {
  381.         "name": "Content-Length",
  382.         "value": "0"
  383.       },
  384.       {
  385.         "name": "Connection",
  386.         "value": "keep-alive"
  387.       },
  388.       {
  389.         "name": "Vary",
  390.         "value": "User-Agent"
  391.       }
  392.     ]
  393.   }
  394. }
  395.  
  396. # Flow log as part of the flow 1811369704832308
  397.  
  398. {
  399.   "timestamp": "2021-02-08T16:58:15.247118+0100",
  400.   "flow_id": 1811369704832308,
  401.   "event_type": "flow",
  402.   "src_ip": "10.2.8.101",
  403.   "src_port": 49732,
  404.   "dest_ip": "45.124.85.55",
  405.   "dest_port": 80,
  406.   "proto": "TCP",
  407.   "app_proto": "http",
  408.   "flow": {
  409.     "pkts_toserver": 209,
  410.     "pkts_toclient": 421,
  411.     "bytes_toserver": 12737,
  412.     "bytes_toclient": 591513,
  413.     "start": "2021-02-08T16:59:12.146740+0100",
  414.     "end": "2021-02-08T16:59:34.729928+0100",
  415.     "age": 22,
  416.     "state": "closed",
  417.     "reason": "shutdown",
  418.     "alerted": false
  419.   },
  420.   "tcp": {
  421.     "tcp_flags": "1b",
  422.     "tcp_flags_ts": "1b",
  423.     "tcp_flags_tc": "1b",
  424.     "syn": true,
  425.     "fin": true,
  426.     "psh": true,
  427.     "ack": true,
  428.     "state": "closed"
  429.   }
  430. }
  431.  
  432.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!