Suricata – filtering tricks for the fileinfo output with eve.json

As of Suricata 2.0  – Suricata IDS/IPS provides the availability of a standard JSON output logging capability. This guide makes use of Suricata and ELK – Elasticsearch, Logstash, Kibana.

You can install all of them following the guide HERE
 …or you can download and try out SELKS  and use directly.

Once you have the installation in place and have the Kibana web interface up and running you can make use of the following fileinfo filters (tricks :).
You can enter the queries like so:

 fileinfo.magic:”PE32″ -fileinfo.filename:*exe

will show you all “PE32 executable” executables that were seen transferred that have no exe extension in their file name:

 Alternatively

fileinfo.magic:”pdf” -fileinfo.filename:*pdf

will show you all “PDF document version……” files that were transferred that have no PDF extension in their file name.

You can explore further 🙂

Print Share Comment Cite Upload Translate

APA

() » Suricata – filtering tricks for the fileinfo output with eve.json. Retrieved from https://www.truth.cx/2014/08/24/suricata-filtering-tricks-for-the-fileinfo-output-with-eve-json/.

MLA

" » Suricata – filtering tricks for the fileinfo output with eve.json." - , https://www.truth.cx/2014/08/24/suricata-filtering-tricks-for-the-fileinfo-output-with-eve-json/

HARVARD

» Suricata – filtering tricks for the fileinfo output with eve.json., viewed ,

VANCOUVER

- » Suricata – filtering tricks for the fileinfo output with eve.json. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/08/24/suricata-filtering-tricks-for-the-fileinfo-output-with-eve-json/

CHICAGO

" » Suricata – filtering tricks for the fileinfo output with eve.json." - Accessed . https://www.truth.cx/2014/08/24/suricata-filtering-tricks-for-the-fileinfo-output-with-eve-json/

IEEE

" » Suricata – filtering tricks for the fileinfo output with eve.json." [Online]. Available: https://www.truth.cx/2014/08/24/suricata-filtering-tricks-for-the-fileinfo-output-with-eve-json/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <br />As of Suricata 2.0  - Suricata IDS/IPS provides the availability of a standard JSON output logging capability. This guide makes use of Suricata and ELK - <a href="http://www.elasticsearch.org/overview/" >Elasticsearch, Logstash, Kibana</a>.<br /><br />You can install all of them following the guide <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output" >HERE</a> <br /> ...or you can download and try out <a href="https://www.stamus-networks.com/open-source/" >SELKS</a>  and use directly.<br /><br />Once you have the installation in place and have the Kibana web interface up and running you can make use of the following fileinfo filters (tricks :).<br />You can enter the queries like so:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-1icqGA9b21k/U_Bv5hJyh6I/AAAAAAAAAfo/hqvuMtUb2ik/s1600/fileinfo3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-1icqGA9b21k/U_Bv5hJyh6I/AAAAAAAAAfo/hqvuMtUb2ik/s1600/fileinfo3.PNG" height="82" width="400" /></a></div><br /><br /><blockquote class="tr_bq"> fileinfo.magic:"PE32" -fileinfo.filename:*exe</blockquote>will show you all "PE32 executable" executables that were seen transferred that have no exe extension in their file name:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Wm3Z70jwgoc/U_BwIjxiaSI/AAAAAAAAAfw/-wbrbMRUs8A/s1600/fileinfo2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Wm3Z70jwgoc/U_BwIjxiaSI/AAAAAAAAAfw/-wbrbMRUs8A/s1600/fileinfo2.PNG" height="133" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div><br /><br /><br /> Alternatively <br /><blockquote class="tr_bq">fileinfo.magic:"pdf" -fileinfo.filename:*pdf</blockquote><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-7rKLpsCelhM/U_Bw7CsDOOI/AAAAAAAAAgA/5FYV4Aa-AEg/s1600/fileinfo4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-7rKLpsCelhM/U_Bw7CsDOOI/AAAAAAAAAgA/5FYV4Aa-AEg/s1600/fileinfo4.PNG" height="76" width="320" /></a></div><br /><br />will show you all "PDF document version......" files that were transferred that have no PDF extension in their file name.<br /><br />You can explore further :)<br /><br /><br /><br /><br /><br /><br /> First name:

Last name: