Saturday, August 23, 2014

Suricata IDS/IPS - HTTP custom header logging


As a continuation of the article HERE- some more screenshots from the ready to use template....

For the Elasticsearch/Logstash/Kibana users there is a ready to use template that you could download from here - "HTTP-Extended-Custom"
https://github.com/pevma/Suricata-Logstash-Templates














Posted by at
Labels: , , , , , , , ,

12 comments:

  1. 挖土December 9, 2014 at 7:42 PM

    Dear all
    I have a question,i want to POST data output to eve.log file,but i didn't find where can configure the police, can you help me? thx

    ReplyDelete
  2. PevmaDecember 10, 2014 at 3:18 PM

    I am not sure I understand your question?

    ReplyDelete
  3. 挖土December 10, 2014 at 7:14 PM

    example post request:

    POST / HTTP/1.1
    Host: www.xx.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
    Gecko/20050225 Firefox/1.0.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 40
    Connection: Keep-Alive

    name=Professional%20Ajax&publisher=Wiley

    i mean is that store the data "name=Professional%20Ajax&publisher=Wiley" in eve.log file with json type

    ReplyDelete
  4. PevmaDecember 11, 2014 at 10:46 AM

    again - not clearly understanding what is your question. Maybe you could do a quick "grep" and see an example output or just click on a http record in the Kibana dashboard and see all the fields available and their data.

    ReplyDelete
    Replies
    1. 挖土December 11, 2014 at 11:34 PM

      oh..no...I can't describe more clearly, if you have a post request, the post data now can't see in the eve.log(example"name=Professional%20Ajax&publisher=Wiley",this post data ), my question is how to do about that ,then i can see the post data in eve.log ?if you again again not clearly,i want say "Thank you very much!"

      Delete
    2. PevmaDecember 12, 2014 at 7:31 AM

      You want to write POST data to eve.log, correct?

      Delete
    3. 挖土December 14, 2014 at 7:14 PM

      Yes , you are correct!!

      Delete
  5. PevmaDecember 15, 2014 at 3:01 AM

    It is a standard JSON format so this is depending on the script/transport that you would want to use.What kind of script/language are you using Java/Python/Perl.... ?

    ReplyDelete
  6. PevmaDecember 16, 2014 at 2:01 AM

    I think those three would be a good start for Python/JSON and would give you an idea:
    https://simplejson.readthedocs.org/en/latest/
    https://docs.python.org/2/library/json.html
    http://pymotw.com/2/json/

    ReplyDelete
  7. 挖土December 16, 2014 at 6:08 PM

    Dear Peter
    I know that web sites,but i mean is not that; i mean is through suricata get post data and save post data to eve.log, can you clearly understanding ?

    ReplyDelete
  8. PevmaDecember 17, 2014 at 6:34 AM

    Ok. Then I would suggest asking that question on our OISF mailing list. I am sure you will get a lot more help there from a that point of view.
    https://lists.openinfosecfoundation.org/mailman/listinfo

    ReplyDelete

Subscribe to: Post Comments (Atom)