Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Suricata's flow_id example:
- # correlate all Suricata events (flow,protocol, anomaly and/or alert logs)
- # from the same flow by Suricata's "flow_id"
- # In the example here we have
- # 3 x HTTP protocol logs
- # 3 x File transaction logs
- # 2 x Alert logs
- # 1 x flow log
- #FLOW - flow_id==1038930578016525
- jq 'select(.flow_id==1038930578016525)' logs/eve.json
- # HTTP protocol log as part of the flow
- {
- "timestamp": "2021-02-08T17:00:12.648463+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 3883,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49757,
- "dest_ip": "8.208.10.147",
- "dest_port": 80,
- "proto": "TCP",
- "tx_id": 0,
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/0801.bin",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "accept": "*/*",
- "cache_control": "no-cache",
- "connection": "keep-alive",
- "content_length": "876",
- "content_type": "application/octet-stream",
- "date": "Mon, 08 Feb 2021 16:00:13 GMT",
- "last_modified": "Mon, 08 Feb 2021 13:20:38 GMT",
- "server": "nginx",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 876,
- "request_headers": [
- {
- "name": "Accept",
- "value": "*/*"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
- },
- {
- "name": "Host",
- "value": "roanokemortgages.com"
- },
- {
- "name": "Cache-Control",
- "value": "no-cache"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 16:00:13 GMT"
- },
- {
- "name": "Content-Type",
- "value": "application/octet-stream"
- },
- {
- "name": "Content-Length",
- "value": "876"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Last-Modified",
- "value": "Mon, 08 Feb 2021 13:20:38 GMT"
- },
- {
- "name": "ETag",
- "value": "\"60213aa6-36c\""
- },
- {
- "name": "Accept-Ranges",
- "value": "bytes"
- }
- ]
- }
- }
- # File transaction log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:12.648463+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 3883,
- "event_type": "fileinfo",
- "src_ip": "8.208.10.147",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49757,
- "proto": "TCP",
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/0801.bin",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 876
- },
- "app_proto": "http",
- "fileinfo": {
- "filename": "/0801.bin",
- "sid": [],
- "magic": "data",
- "gaps": false,
- "state": "CLOSED",
- "sha256": "ee33a8fa2ae6f6b9366c97ed4c00c2796d98a371249dca725a01aca03caf747b",
- "stored": false,
- "size": 876,
- "tx_id": 0
- }
- }
- # second HTTP protocol log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:12.878417+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 3908,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49757,
- "dest_ip": "8.208.10.147",
- "dest_port": 80,
- "proto": "TCP",
- "tx_id": 1,
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/0801s.bin",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "accept": "*/*",
- "cache_control": "no-cache",
- "connection": "keep-alive",
- "content_length": "913",
- "content_type": "application/octet-stream",
- "date": "Mon, 08 Feb 2021 16:00:13 GMT",
- "last_modified": "Mon, 08 Feb 2021 13:20:37 GMT",
- "server": "nginx",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 913,
- "request_headers": [
- {
- "name": "Accept",
- "value": "*/*"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
- },
- {
- "name": "Host",
- "value": "roanokemortgages.com"
- },
- {
- "name": "Cache-Control",
- "value": "no-cache"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 16:00:13 GMT"
- },
- {
- "name": "Content-Type",
- "value": "application/octet-stream"
- },
- {
- "name": "Content-Length",
- "value": "913"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Last-Modified",
- "value": "Mon, 08 Feb 2021 13:20:37 GMT"
- },
- {
- "name": "ETag",
- "value": "\"60213aa5-391\""
- },
- {
- "name": "Accept-Ranges",
- "value": "bytes"
- }
- ]
- }
- }
- # second file transaction protocol log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:12.878417+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 3908,
- "event_type": "fileinfo",
- "src_ip": "8.208.10.147",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49757,
- "proto": "TCP",
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/0801s.bin",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 913
- },
- "app_proto": "http",
- "fileinfo": {
- "filename": "/0801s.bin",
- "sid": [],
- "magic": "data",
- "gaps": false,
- "state": "CLOSED",
- "sha256": "7af0dc117d2dcd112f50889c4c8a14ac9ee55c2525a24fa66ff9a89b480b7e99",
- "stored": false,
- "size": 913,
- "tx_id": 1
- }
- }
- # Alert log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:13.183792+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 4153,
- "event_type": "alert",
- "src_ip": "8.208.10.147",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49757,
- "proto": "TCP",
- "metadata": {
- "flowbits": [
- "exe.no.referer"
- ]
- },
- "alert": {
- "action": "allowed",
- "gid": 1,
- "signature_id": 2014819,
- "rev": 3,
- "signature": "ET INFO Packed Executable Download",
- "category": "Misc activity",
- "severity": 3,
- "metadata": {
- "created_at": [
- "2012_05_30"
- ],
- "updated_at": [
- "2012_05_30"
- ]
- }
- },
- "http": {},
- "app_proto": "http",
- "flow": {
- "pkts_toserver": 9,
- "pkts_toclient": 11,
- "bytes_toserver": 1042,
- "bytes_toclient": 9759,
- "start": "2021-02-08T17:00:12.297229+0100"
- }
- }
- # Second alert log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:13.408464+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 4208,
- "event_type": "alert",
- "src_ip": "8.208.10.147",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49757,
- "proto": "TCP",
- "metadata": {
- "flowbits": [
- "exe.no.referer",
- "ET.http.binary"
- ]
- },
- "tx_id": 2,
- "alert": {
- "action": "allowed",
- "gid": 1,
- "signature_id": 2018959,
- "rev": 4,
- "signature": "ET POLICY PE EXE or DLL Windows file download HTTP",
- "category": "Potential Corporate Privacy Violation",
- "severity": 1,
- "metadata": {
- "created_at": [
- "2014_08_19"
- ],
- "former_category": [
- "POLICY"
- ],
- "updated_at": [
- "2017_02_01"
- ]
- }
- },
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/6lhjgfdghj.exe",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 41029
- },
- "files": [
- {
- "filename": "/6lhjgfdghj.exe",
- "sid": [],
- "gaps": false,
- "state": "UNKNOWN",
- "stored": false,
- "size": 41029,
- "tx_id": 2
- }
- ],
- "app_proto": "http",
- "flow": {
- "pkts_toserver": 24,
- "pkts_toclient": 37,
- "bytes_toserver": 1852,
- "bytes_toclient": 46939,
- "start": "2021-02-08T17:00:12.297229+0100"
- }
- }
- # Third HTTP protocol log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:13.699055+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 4506,
- "event_type": "http",
- "src_ip": "10.2.8.101",
- "src_port": 49757,
- "dest_ip": "8.208.10.147",
- "dest_port": 80,
- "proto": "TCP",
- "metadata": {
- "flowbits": [
- "exe.no.referer",
- "ET.http.binary"
- ]
- },
- "tx_id": 2,
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/6lhjgfdghj.exe",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "accept": "*/*",
- "cache_control": "no-cache",
- "connection": "keep-alive",
- "content_length": "273422",
- "content_type": "application/octet-stream",
- "date": "Mon, 08 Feb 2021 16:00:14 GMT",
- "last_modified": "Wed, 20 Jan 2021 09:59:19 GMT",
- "server": "nginx",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 273422,
- "request_headers": [
- {
- "name": "Accept",
- "value": "*/*"
- },
- {
- "name": "User-Agent",
- "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
- },
- {
- "name": "Host",
- "value": "roanokemortgages.com"
- },
- {
- "name": "Cache-Control",
- "value": "no-cache"
- }
- ],
- "response_headers": [
- {
- "name": "Server",
- "value": "nginx"
- },
- {
- "name": "Date",
- "value": "Mon, 08 Feb 2021 16:00:14 GMT"
- },
- {
- "name": "Content-Type",
- "value": "application/octet-stream"
- },
- {
- "name": "Content-Length",
- "value": "273422"
- },
- {
- "name": "Connection",
- "value": "keep-alive"
- },
- {
- "name": "Last-Modified",
- "value": "Wed, 20 Jan 2021 09:59:19 GMT"
- },
- {
- "name": "ETag",
- "value": "\"6007fef7-42c0e\""
- },
- {
- "name": "Accept-Ranges",
- "value": "bytes"
- }
- ]
- }
- }
- # third file transaction protocol log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T17:00:13.699055+0100",
- "flow_id": 1038930578016525,
- "pcap_cnt": 4506,
- "event_type": "fileinfo",
- "src_ip": "8.208.10.147",
- "src_port": 80,
- "dest_ip": "10.2.8.101",
- "dest_port": 49757,
- "proto": "TCP",
- "metadata": {
- "flowbits": [
- "exe.no.referer",
- "ET.http.binary"
- ]
- },
- "http": {
- "hostname": "roanokemortgages.com",
- "url": "/6lhjgfdghj.exe",
- "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
- "http_content_type": "application/octet-stream",
- "http_method": "GET",
- "protocol": "HTTP/1.1",
- "status": 200,
- "length": 273422
- },
- "app_proto": "http",
- "fileinfo": {
- "filename": "/6lhjgfdghj.exe",
- "sid": [],
- "magic": "PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows",
- "gaps": false,
- "state": "CLOSED",
- "sha256": "94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1",
- "stored": false,
- "size": 273422,
- "tx_id": 2
- }
- }
- # Flow log as part of the flow 1038930578016525
- {
- "timestamp": "2021-02-08T16:58:15.247118+0100",
- "flow_id": 1038930578016525,
- "event_type": "flow",
- "src_ip": "10.2.8.101",
- "src_port": 49757,
- "dest_ip": "8.208.10.147",
- "dest_port": 80,
- "proto": "TCP",
- "app_proto": "http",
- "flow": {
- "pkts_toserver": 105,
- "pkts_toclient": 207,
- "bytes_toserver": 6226,
- "bytes_toclient": 287136,
- "start": "2021-02-08T17:00:12.297229+0100",
- "end": "2021-02-08T17:01:56.764859+0100",
- "age": 104,
- "state": "closed",
- "reason": "shutdown",
- "alerted": true
- },
- "metadata": {
- "flowbits": [
- "exe.no.referer",
- "ET.http.binary"
- ]
- },
- "tcp": {
- "tcp_flags": "1b",
- "tcp_flags_ts": "1b",
- "tcp_flags_tc": "1b",
- "syn": true,
- "fin": true,
- "psh": true,
- "ack": true,
- "state": "closed"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement