API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 24th, 2021
655
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JSON 13.04 KB | None | 0 0
raw download clone embed print report
  1. # Suricata's flow_id example:
  2. # correlate all Suricata events (flow,protocol, anomaly and/or alert logs)
  3. # from the same flow by Suricata's "flow_id"
  4. # In the example here we have
  5. # 3 x HTTP protocol logs
  6. # 3 x File transaction logs
  7. # 2 x Alert logs
  8. # 1 x flow log
  9.  
  10.  
  11.  
  12.  
  13.  
  14. #FLOW - flow_id==1038930578016525
  15.  
  16. jq 'select(.flow_id==1038930578016525)' logs/eve.json  
  17.  
  18.  
  19. # HTTP protocol log as part of the flow
  20. {
  21.   "timestamp": "2021-02-08T17:00:12.648463+0100",
  22.   "flow_id": 1038930578016525,
  23.   "pcap_cnt": 3883,
  24.   "event_type": "http",
  25.   "src_ip": "10.2.8.101",
  26.   "src_port": 49757,
  27.   "dest_ip": "8.208.10.147",
  28.   "dest_port": 80,
  29.   "proto": "TCP",
  30.   "tx_id": 0,
  31.   "http": {
  32.     "hostname": "roanokemortgages.com",
  33.     "url": "/0801.bin",
  34.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  35.     "http_content_type": "application/octet-stream",
  36.     "accept": "*/*",
  37.     "cache_control": "no-cache",
  38.     "connection": "keep-alive",
  39.     "content_length": "876",
  40.     "content_type": "application/octet-stream",
  41.     "date": "Mon, 08 Feb 2021 16:00:13 GMT",
  42.     "last_modified": "Mon, 08 Feb 2021 13:20:38 GMT",
  43.     "server": "nginx",
  44.     "http_method": "GET",
  45.     "protocol": "HTTP/1.1",
  46.     "status": 200,
  47.     "length": 876,
  48.     "request_headers": [
  49.       {
  50.         "name": "Accept",
  51.         "value": "*/*"
  52.       },
  53.       {
  54.         "name": "User-Agent",
  55.         "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
  56.       },
  57.       {
  58.         "name": "Host",
  59.         "value": "roanokemortgages.com"
  60.       },
  61.       {
  62.         "name": "Cache-Control",
  63.         "value": "no-cache"
  64.       }
  65.     ],
  66.     "response_headers": [
  67.       {
  68.         "name": "Server",
  69.         "value": "nginx"
  70.       },
  71.       {
  72.         "name": "Date",
  73.         "value": "Mon, 08 Feb 2021 16:00:13 GMT"
  74.       },
  75.       {
  76.         "name": "Content-Type",
  77.         "value": "application/octet-stream"
  78.       },
  79.       {
  80.         "name": "Content-Length",
  81.         "value": "876"
  82.       },
  83.       {
  84.         "name": "Connection",
  85.         "value": "keep-alive"
  86.       },
  87.       {
  88.         "name": "Last-Modified",
  89.         "value": "Mon, 08 Feb 2021 13:20:38 GMT"
  90.       },
  91.       {
  92.         "name": "ETag",
  93.         "value": "\"60213aa6-36c\""
  94.       },
  95.       {
  96.         "name": "Accept-Ranges",
  97.         "value": "bytes"
  98.       }
  99.     ]
  100.   }
  101. }
  102.  
  103. # File transaction log as part of the flow 1038930578016525
  104.  
  105. {
  106.   "timestamp": "2021-02-08T17:00:12.648463+0100",
  107.   "flow_id": 1038930578016525,
  108.   "pcap_cnt": 3883,
  109.   "event_type": "fileinfo",
  110.   "src_ip": "8.208.10.147",
  111.   "src_port": 80,
  112.   "dest_ip": "10.2.8.101",
  113.   "dest_port": 49757,
  114.   "proto": "TCP",
  115.   "http": {
  116.     "hostname": "roanokemortgages.com",
  117.     "url": "/0801.bin",
  118.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  119.     "http_content_type": "application/octet-stream",
  120.     "http_method": "GET",
  121.     "protocol": "HTTP/1.1",
  122.     "status": 200,
  123.     "length": 876
  124.   },
  125.   "app_proto": "http",
  126.   "fileinfo": {
  127.     "filename": "/0801.bin",
  128.     "sid": [],
  129.     "magic": "data",
  130.     "gaps": false,
  131.     "state": "CLOSED",
  132.     "sha256": "ee33a8fa2ae6f6b9366c97ed4c00c2796d98a371249dca725a01aca03caf747b",
  133.     "stored": false,
  134.     "size": 876,
  135.     "tx_id": 0
  136.   }
  137. }
  138.  
  139. # second HTTP protocol log as part of the flow 1038930578016525
  140.  
  141. {
  142.   "timestamp": "2021-02-08T17:00:12.878417+0100",
  143.   "flow_id": 1038930578016525,
  144.   "pcap_cnt": 3908,
  145.   "event_type": "http",
  146.   "src_ip": "10.2.8.101",
  147.   "src_port": 49757,
  148.   "dest_ip": "8.208.10.147",
  149.   "dest_port": 80,
  150.   "proto": "TCP",
  151.   "tx_id": 1,
  152.   "http": {
  153.     "hostname": "roanokemortgages.com",
  154.     "url": "/0801s.bin",
  155.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  156.     "http_content_type": "application/octet-stream",
  157.     "accept": "*/*",
  158.     "cache_control": "no-cache",
  159.     "connection": "keep-alive",
  160.     "content_length": "913",
  161.     "content_type": "application/octet-stream",
  162.     "date": "Mon, 08 Feb 2021 16:00:13 GMT",
  163.     "last_modified": "Mon, 08 Feb 2021 13:20:37 GMT",
  164.     "server": "nginx",
  165.     "http_method": "GET",
  166.     "protocol": "HTTP/1.1",
  167.     "status": 200,
  168.     "length": 913,
  169.     "request_headers": [
  170.       {
  171.         "name": "Accept",
  172.         "value": "*/*"
  173.       },
  174.       {
  175.         "name": "User-Agent",
  176.         "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
  177.       },
  178.       {
  179.         "name": "Host",
  180.         "value": "roanokemortgages.com"
  181.       },
  182.       {
  183.         "name": "Cache-Control",
  184.         "value": "no-cache"
  185.       }
  186.     ],
  187.     "response_headers": [
  188.       {
  189.         "name": "Server",
  190.         "value": "nginx"
  191.       },
  192.       {
  193.         "name": "Date",
  194.         "value": "Mon, 08 Feb 2021 16:00:13 GMT"
  195.       },
  196.       {
  197.         "name": "Content-Type",
  198.         "value": "application/octet-stream"
  199.       },
  200.       {
  201.         "name": "Content-Length",
  202.         "value": "913"
  203.       },
  204.       {
  205.         "name": "Connection",
  206.         "value": "keep-alive"
  207.       },
  208.       {
  209.         "name": "Last-Modified",
  210.         "value": "Mon, 08 Feb 2021 13:20:37 GMT"
  211.       },
  212.       {
  213.         "name": "ETag",
  214.         "value": "\"60213aa5-391\""
  215.       },
  216.       {
  217.         "name": "Accept-Ranges",
  218.         "value": "bytes"
  219.       }
  220.     ]
  221.   }
  222. }
  223.  
  224.  
  225. # second file transaction protocol log as part of the flow 1038930578016525
  226.  
  227.  
  228. {
  229.   "timestamp": "2021-02-08T17:00:12.878417+0100",
  230.   "flow_id": 1038930578016525,
  231.   "pcap_cnt": 3908,
  232.   "event_type": "fileinfo",
  233.   "src_ip": "8.208.10.147",
  234.   "src_port": 80,
  235.   "dest_ip": "10.2.8.101",
  236.   "dest_port": 49757,
  237.   "proto": "TCP",
  238.   "http": {
  239.     "hostname": "roanokemortgages.com",
  240.     "url": "/0801s.bin",
  241.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  242.     "http_content_type": "application/octet-stream",
  243.     "http_method": "GET",
  244.     "protocol": "HTTP/1.1",
  245.     "status": 200,
  246.     "length": 913
  247.   },
  248.   "app_proto": "http",
  249.   "fileinfo": {
  250.     "filename": "/0801s.bin",
  251.     "sid": [],
  252.     "magic": "data",
  253.     "gaps": false,
  254.     "state": "CLOSED",
  255.     "sha256": "7af0dc117d2dcd112f50889c4c8a14ac9ee55c2525a24fa66ff9a89b480b7e99",
  256.     "stored": false,
  257.     "size": 913,
  258.     "tx_id": 1
  259.   }
  260. }
  261.  
  262. # Alert log as part of the flow 1038930578016525
  263.  
  264. {
  265.   "timestamp": "2021-02-08T17:00:13.183792+0100",
  266.   "flow_id": 1038930578016525,
  267.   "pcap_cnt": 4153,
  268.   "event_type": "alert",
  269.   "src_ip": "8.208.10.147",
  270.   "src_port": 80,
  271.   "dest_ip": "10.2.8.101",
  272.   "dest_port": 49757,
  273.   "proto": "TCP",
  274.   "metadata": {
  275.     "flowbits": [
  276.       "exe.no.referer"
  277.     ]
  278.   },
  279.   "alert": {
  280.     "action": "allowed",
  281.     "gid": 1,
  282.     "signature_id": 2014819,
  283.     "rev": 3,
  284.     "signature": "ET INFO Packed Executable Download",
  285.     "category": "Misc activity",
  286.     "severity": 3,
  287.     "metadata": {
  288.       "created_at": [
  289.         "2012_05_30"
  290.       ],
  291.       "updated_at": [
  292.         "2012_05_30"
  293.       ]
  294.     }
  295.   },
  296.   "http": {},
  297.   "app_proto": "http",
  298.   "flow": {
  299.     "pkts_toserver": 9,
  300.     "pkts_toclient": 11,
  301.     "bytes_toserver": 1042,
  302.     "bytes_toclient": 9759,
  303.     "start": "2021-02-08T17:00:12.297229+0100"
  304.   }
  305. }
  306.  
  307. # Second alert log as part of the flow 1038930578016525
  308.  
  309. {
  310.   "timestamp": "2021-02-08T17:00:13.408464+0100",
  311.   "flow_id": 1038930578016525,
  312.   "pcap_cnt": 4208,
  313.   "event_type": "alert",
  314.   "src_ip": "8.208.10.147",
  315.   "src_port": 80,
  316.   "dest_ip": "10.2.8.101",
  317.   "dest_port": 49757,
  318.   "proto": "TCP",
  319.   "metadata": {
  320.     "flowbits": [
  321.       "exe.no.referer",
  322.       "ET.http.binary"
  323.     ]
  324.   },
  325.   "tx_id": 2,
  326.   "alert": {
  327.     "action": "allowed",
  328.     "gid": 1,
  329.     "signature_id": 2018959,
  330.     "rev": 4,
  331.     "signature": "ET POLICY PE EXE or DLL Windows file download HTTP",
  332.     "category": "Potential Corporate Privacy Violation",
  333.     "severity": 1,
  334.     "metadata": {
  335.       "created_at": [
  336.         "2014_08_19"
  337.       ],
  338.       "former_category": [
  339.         "POLICY"
  340.       ],
  341.       "updated_at": [
  342.         "2017_02_01"
  343.       ]
  344.     }
  345.   },
  346.   "http": {
  347.     "hostname": "roanokemortgages.com",
  348.     "url": "/6lhjgfdghj.exe",
  349.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  350.     "http_content_type": "application/octet-stream",
  351.     "http_method": "GET",
  352.     "protocol": "HTTP/1.1",
  353.     "status": 200,
  354.     "length": 41029
  355.   },
  356.   "files": [
  357.     {
  358.       "filename": "/6lhjgfdghj.exe",
  359.       "sid": [],
  360.       "gaps": false,
  361.       "state": "UNKNOWN",
  362.       "stored": false,
  363.       "size": 41029,
  364.       "tx_id": 2
  365.     }
  366.   ],
  367.   "app_proto": "http",
  368.   "flow": {
  369.     "pkts_toserver": 24,
  370.     "pkts_toclient": 37,
  371.     "bytes_toserver": 1852,
  372.     "bytes_toclient": 46939,
  373.     "start": "2021-02-08T17:00:12.297229+0100"
  374.   }
  375. }
  376.  
  377. # Third HTTP protocol log as part of the flow 1038930578016525
  378.  
  379. {
  380.   "timestamp": "2021-02-08T17:00:13.699055+0100",
  381.   "flow_id": 1038930578016525,
  382.   "pcap_cnt": 4506,
  383.   "event_type": "http",
  384.   "src_ip": "10.2.8.101",
  385.   "src_port": 49757,
  386.   "dest_ip": "8.208.10.147",
  387.   "dest_port": 80,
  388.   "proto": "TCP",
  389.   "metadata": {
  390.     "flowbits": [
  391.       "exe.no.referer",
  392.       "ET.http.binary"
  393.     ]
  394.   },
  395.   "tx_id": 2,
  396.   "http": {
  397.     "hostname": "roanokemortgages.com",
  398.     "url": "/6lhjgfdghj.exe",
  399.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  400.     "http_content_type": "application/octet-stream",
  401.     "accept": "*/*",
  402.     "cache_control": "no-cache",
  403.     "connection": "keep-alive",
  404.     "content_length": "273422",
  405.     "content_type": "application/octet-stream",
  406.     "date": "Mon, 08 Feb 2021 16:00:14 GMT",
  407.     "last_modified": "Wed, 20 Jan 2021 09:59:19 GMT",
  408.     "server": "nginx",
  409.     "http_method": "GET",
  410.     "protocol": "HTTP/1.1",
  411.     "status": 200,
  412.     "length": 273422,
  413.     "request_headers": [
  414.       {
  415.         "name": "Accept",
  416.         "value": "*/*"
  417.       },
  418.       {
  419.         "name": "User-Agent",
  420.         "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"
  421.       },
  422.       {
  423.         "name": "Host",
  424.         "value": "roanokemortgages.com"
  425.       },
  426.       {
  427.         "name": "Cache-Control",
  428.         "value": "no-cache"
  429.       }
  430.     ],
  431.     "response_headers": [
  432.       {
  433.         "name": "Server",
  434.         "value": "nginx"
  435.       },
  436.       {
  437.         "name": "Date",
  438.         "value": "Mon, 08 Feb 2021 16:00:14 GMT"
  439.       },
  440.       {
  441.         "name": "Content-Type",
  442.         "value": "application/octet-stream"
  443.       },
  444.       {
  445.         "name": "Content-Length",
  446.         "value": "273422"
  447.       },
  448.       {
  449.         "name": "Connection",
  450.         "value": "keep-alive"
  451.       },
  452.       {
  453.         "name": "Last-Modified",
  454.         "value": "Wed, 20 Jan 2021 09:59:19 GMT"
  455.       },
  456.       {
  457.         "name": "ETag",
  458.         "value": "\"6007fef7-42c0e\""
  459.       },
  460.       {
  461.         "name": "Accept-Ranges",
  462.         "value": "bytes"
  463.       }
  464.     ]
  465.   }
  466. }
  467.  
  468. # third file transaction protocol log as part of the flow 1038930578016525
  469.  
  470. {
  471.   "timestamp": "2021-02-08T17:00:13.699055+0100",
  472.   "flow_id": 1038930578016525,
  473.   "pcap_cnt": 4506,
  474.   "event_type": "fileinfo",
  475.   "src_ip": "8.208.10.147",
  476.   "src_port": 80,
  477.   "dest_ip": "10.2.8.101",
  478.   "dest_port": 49757,
  479.   "proto": "TCP",
  480.   "metadata": {
  481.     "flowbits": [
  482.       "exe.no.referer",
  483.       "ET.http.binary"
  484.     ]
  485.   },
  486.   "http": {
  487.     "hostname": "roanokemortgages.com",
  488.     "url": "/6lhjgfdghj.exe",
  489.     "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  490.     "http_content_type": "application/octet-stream",
  491.     "http_method": "GET",
  492.     "protocol": "HTTP/1.1",
  493.     "status": 200,
  494.     "length": 273422
  495.   },
  496.   "app_proto": "http",
  497.   "fileinfo": {
  498.     "filename": "/6lhjgfdghj.exe",
  499.     "sid": [],
  500.     "magic": "PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows",
  501.     "gaps": false,
  502.     "state": "CLOSED",
  503.     "sha256": "94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1",
  504.     "stored": false,
  505.     "size": 273422,
  506.     "tx_id": 2
  507.   }
  508. }
  509.  
  510. # Flow log as part of the flow 1038930578016525
  511.  
  512. {
  513.   "timestamp": "2021-02-08T16:58:15.247118+0100",
  514.   "flow_id": 1038930578016525,
  515.   "event_type": "flow",
  516.   "src_ip": "10.2.8.101",
  517.   "src_port": 49757,
  518.   "dest_ip": "8.208.10.147",
  519.   "dest_port": 80,
  520.   "proto": "TCP",
  521.   "app_proto": "http",
  522.   "flow": {
  523.     "pkts_toserver": 105,
  524.     "pkts_toclient": 207,
  525.     "bytes_toserver": 6226,
  526.     "bytes_toclient": 287136,
  527.     "start": "2021-02-08T17:00:12.297229+0100",
  528.     "end": "2021-02-08T17:01:56.764859+0100",
  529.     "age": 104,
  530.     "state": "closed",
  531.     "reason": "shutdown",
  532.     "alerted": true
  533.   },
  534.   "metadata": {
  535.     "flowbits": [
  536.       "exe.no.referer",
  537.       "ET.http.binary"
  538.     ]
  539.   },
  540.   "tcp": {
  541.     "tcp_flags": "1b",
  542.     "tcp_flags_ts": "1b",
  543.     "tcp_flags_tc": "1b",
  544.     "syn": true,
  545.     "fin": true,
  546.     "psh": true,
  547.     "ack": true,
  548.     "state": "closed"
  549.   }
  550. }
  551.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!