Sunday, August 24, 2014

Suricata - filtering tricks for the fileinfo output with eve.json

As of Suricata 2.0  - Suricata IDS/IPS provides the availability of a standard JSON output logging capability. This guide makes use of Suricata and ELK - Elasticsearch, Logstash, Kibana.

You can install all of them following the guide HERE
 ...or you can download and try out SELKS  and use directly.

Once you have the installation in place and have the Kibana web interface up and running you can make use of the following fileinfo filters (tricks :).
You can enter the queries like so:

 fileinfo.magic:"PE32" -fileinfo.filename:*exe
will show you all "PE32 executable" executables that were seen transferred that have no exe extension in their file name:

fileinfo.magic:"pdf" -fileinfo.filename:*pdf

will show you all "PDF document version......" files that were transferred that have no PDF extension in their file name.

You can explore further :)

No comments:

Post a Comment