Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Suricata's flow_id example:
- # correlate all Suricata events (flow,protocol, anomaly and/or alert logs)
- # from the same flow by Suricata's "flow_id"
- # In the example here we have (no alerts, but we produce the logs regardless)
- # 3 x HTTP protocol logs
- # 2 x File transaction logs
- # 1 x flow log
- #FLOW - flow_id==1811369704832308
- jq 'select(.flow_id==1811369704832308)' logs/eve.json
- # HTTP protocol log as part of the flow
- {
- "timestamp": "2021-02-08T16:59:12.847769+0100",
- "flow_id": 1811369704832308,
- "pcap_cnt": 2325,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49732,
- "dest_ip": "45.124.85.55",
- "dest_port": 80,
- "proto": "TCP",
- "tx_id": 0,
- "http": {
- "hostname": "tonmatdoanminh.com",
- "url": "/uninviting.php",
- "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
- "http_content_type": "text/html",
- "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
- "accept_encoding": "gzip, deflate",
- "accept_language": "en",
- "connection": "keep-alive",
- "content_encoding": "gzip",
- "content_length": "423",
- "content_type": "text/html; charset=UTF-8",
- "date": "Mon, 08 Feb 2021 15:59:13 GMT",
- "server": "nginx",
- "vary": "Accept-Encoding,User-Agent",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 423,
- "request_headers": [
- {
- "name": "Host",
- "value": "tonmatdoanminh.com"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Upgrade-Insecure-Requests",
- "value": "1"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
- },
- {
- "name": "Accept",
- "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
- },
- {
- "name": "Accept-Encoding",
- "value": "gzip, deflate"
- },
- {
- "name": "Accept-Language",
- "value": "en"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 15:59:13 GMT"
- },
- {
- "name": "Content-Type",
- "value": "text/html; charset=UTF-8"
- },
- {
- "name": "Content-Length",
- "value": "423"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Vary",
- "value": "Accept-Encoding,User-Agent"
- },
- {
- "name": "Content-Encoding",
- "value": "gzip"
- }
- ]
- }
- }
- # File transaction log as part of the flow 1811369704832308
- {
- "timestamp": "2021-02-08T16:59:12.847769+0100",
- "flow_id": 1811369704832308,
- "pcap_cnt": 2325,
- "event_type": "fileinfo",
- "src_ip": "45.124.85.55",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49732,
- "proto": "TCP",
- "http": {
- "hostname": "tonmatdoanminh.com",
- "url": "/uninviting.php",
- "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
- "http_content_type": "text/html",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 423
- },
- "app_proto": "http",
- "fileinfo": {
- "filename": "/uninviting.php",
- "sid": [],
- "magic": "HTML document, ASCII text",
- "gaps": false,
- "state": "CLOSED",
- "sha256": "2777c710350668010542846968025d642d40984fa87ad21b3b175c0d2f7e0b31",
- "stored": false,
- "size": 754,
- "tx_id": 0
- }
- }
- # second HTTP protocol log as part of the flow 1811369704832308
- {
- "timestamp": "2021-02-08T16:59:18.369971+0100",
- "flow_id": 1811369704832308,
- "pcap_cnt": 2994,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49732,
- "dest_ip": "45.124.85.55",
- "dest_port": 80,
- "proto": "TCP",
- "tx_id": 1,
- "http": {
- "hostname": "tonmatdoanminh.com",
- "url": "/uninviting.php",
- "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
- "http_content_type": "text/html",
- "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
- "accept_encoding": "gzip, deflate",
- "accept_language": "en",
- "cache_control": "max-age=0",
- "cookie": "d=0; n=UTC",
- "connection": "keep-alive",
- "content_encoding": "gzip",
- "content_type": "text/html; charset=UTF-8",
- "date": "Mon, 08 Feb 2021 15:59:17 GMT",
- "server": "nginx",
- "transfer_encoding": "chunked",
- "vary": "Accept-Encoding,User-Agent",
- "http_refer": "http://tonmatdoanminh.com/uninviting.php",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 567743,
- "request_headers": [
- {
- "name": "Host",
- "value": "tonmatdoanminh.com"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Cache-Control",
- "value": "max-age=0"
- },
- {
- "name": "Upgrade-Insecure-Requests",
- "value": "1"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
- },
- {
- "name": "Accept",
- "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
- },
- {
- "name": "Referer",
- "value": "http://tonmatdoanminh.com/uninviting.php"
- },
- {
- "name": "Accept-Encoding",
- "value": "gzip, deflate"
- },
- {
- "name": "Accept-Language",
- "value": "en"
- },
- {
- "name": "Cookie",
- "value": "d=0; n=UTC"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 15:59:17 GMT"
- },
- {
- "name": "Content-Type",
- "value": "text/html; charset=UTF-8"
- },
- {
- "name": "Transfer-Encoding",
- "value": "chunked"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Vary",
- "value": "Accept-Encoding,User-Agent"
- },
- {
- "name": "Content-Encoding",
- "value": "gzip"
- }
- ]
- }
- }
- # second file transaction protocol log as part of the flow 1811369704832308
- {
- "timestamp": "2021-02-08T16:59:18.369971+0100",
- "flow_id": 1811369704832308,
- "pcap_cnt": 2994,
- "event_type": "fileinfo",
- "src_ip": "45.124.85.55",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49732,
- "proto": "TCP",
- "http": {
- "hostname": "tonmatdoanminh.com",
- "url": "/uninviting.php",
- "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
- "http_content_type": "text/html",
- "http_refer": "http://tonmatdoanminh.com/uninviting.php",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 567743
- },
- "app_proto": "http",
- "fileinfo": {
- "filename": "/uninviting.php",
- "sid": [],
- "magic": "HTML document, ASCII text, with very long lines",
- "gaps": false,
- "state": "CLOSED",
- "sha256": "858aac988e85075348f32e4750f17bf5c16e579fff258d3def9f23563e89372d",
- "stored": false,
- "size": 1097546,
- "tx_id": 1
- }
- }
- # Third HTTP protocol log as part of the flow 1811369704832308
- {
- "timestamp": "2021-02-08T16:59:19.454434+0100",
- "flow_id": 1811369704832308,
- "pcap_cnt": 3030,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49732,
- "dest_ip": "45.124.85.55",
- "dest_port": 80,
- "proto": "TCP",
- "tx_id": 2,
- "http": {
- "hostname": "tonmatdoanminh.com",
- "url": "/favicon.ico",
- "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63",
- "http_content_type": "image/vnd.microsoft.icon",
- "accept": "image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8",
- "accept_encoding": "gzip, deflate",
- "accept_language": "en",
- "cache_control": "no-cache",
- "cookie": "d=0; n=UTC",
- "pragma": "no-cache",
- "connection": "keep-alive",
- "content_length": "0",
- "content_type": "image/vnd.microsoft.icon",
- "date": "Mon, 08 Feb 2021 15:59:20 GMT",
- "server": "nginx",
- "vary": "User-Agent",
- "http_refer": "http://tonmatdoanminh.com/uninviting.php",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 0,
- "request_headers": [
- {
- "name": "Host",
- "value": "tonmatdoanminh.com"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Pragma",
- "value": "no-cache"
- },
- {
- "name": "Cache-Control",
- "value": "no-cache"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63"
- },
- {
- "name": "Accept",
- "value": "image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"
- },
- {
- "name": "Referer",
- "value": "http://tonmatdoanminh.com/uninviting.php"
- },
- {
- "name": "Accept-Encoding",
- "value": "gzip, deflate"
- },
- {
- "name": "Accept-Language",
- "value": "en"
- },
- {
- "name": "Cookie",
- "value": "d=0; n=UTC"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 15:59:20 GMT"
- },
- {
- "name": "Content-Type",
- "value": "image/vnd.microsoft.icon"
- },
- {
- "name": "Content-Length",
- "value": "0"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Vary",
- "value": "User-Agent"
- }
- ]
- }
- }
- # Flow log as part of the flow 1811369704832308
- {
- "timestamp": "2021-02-08T16:58:15.247118+0100",
- "flow_id": 1811369704832308,
- "event_type": "flow",
- "src_ip": "10.2.8.101",
- "src_port": 49732,
- "dest_ip": "45.124.85.55",
- "dest_port": 80,
- "proto": "TCP",
- "app_proto": "http",
- "flow": {
- "pkts_toserver": 209,
- "pkts_toclient": 421,
- "bytes_toserver": 12737,
- "bytes_toclient": 591513,
- "start": "2021-02-08T16:59:12.146740+0100",
- "end": "2021-02-08T16:59:34.729928+0100",
- "age": 22,
- "state": "closed",
- "reason": "shutdown",
- "alerted": false
- },
- "tcp": {
- "tcp_flags": "1b",
- "tcp_flags_ts": "1b",
- "tcp_flags_tc": "1b",
- "syn": true,
- "fin": true,
- "psh": true,
- "ack": true,
- "state": "closed"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement