As of Suricata 2.0 - Suricata IDS/IPS provides the availability of a standard JSON output logging capability. This guide makes use of Suricata and ELK - Elasticsearch, Logstash, Kibana.
You can install all of them following the guide HERE
...or you can download and try out SELKS and use directly.
Once you have the installation in place and have the Kibana web interface up and running you can make use of the following fileinfo filters (tricks :).
You can enter the queries like so:
fileinfo.magic:"PE32" -fileinfo.filename:*exewill show you all "PE32 executable" executables that were seen transferred that have no exe extension in their file name:
Alternatively
fileinfo.magic:"pdf" -fileinfo.filename:*pdf
will show you all "PDF document version......" files that were transferred that have no PDF extension in their file name.
You can explore further :)
No comments:
Post a Comment