Saturday, August 23, 2014

Suricata IDS/IPS - HTTP custom header logging


As a continuation of the article HERE- some more screenshots from the ready to use template....

For the Elasticsearch/Logstash/Kibana users there is a ready to use template that you could download from here - "HTTP-Extended-Custom"
https://github.com/pevma/Suricata-Logstash-Templates














12 comments:

  1. Dear all
    I have a question,i want to POST data output to eve.log file,but i didn't find where can configure the police, can you help me? thx

    ReplyDelete
  2. I am not sure I understand your question?

    ReplyDelete
  3. example post request:

    POST / HTTP/1.1
    Host: www.xx.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
    Gecko/20050225 Firefox/1.0.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 40
    Connection: Keep-Alive

    name=Professional%20Ajax&publisher=Wiley

    i mean is that store the data "name=Professional%20Ajax&publisher=Wiley" in eve.log file with json type

    ReplyDelete
  4. again - not clearly understanding what is your question. Maybe you could do a quick "grep" and see an example output or just click on a http record in the Kibana dashboard and see all the fields available and their data.

    ReplyDelete
    Replies
    1. oh..no...I can't describe more clearly, if you have a post request, the post data now can't see in the eve.log(example"name=Professional%20Ajax&publisher=Wiley",this post data ), my question is how to do about that ,then i can see the post data in eve.log ?if you again again not clearly,i want say "Thank you very much!"

      Delete
    2. You want to write POST data to eve.log, correct?

      Delete
  5. It is a standard JSON format so this is depending on the script/transport that you would want to use.What kind of script/language are you using Java/Python/Perl.... ?

    ReplyDelete
  6. I think those three would be a good start for Python/JSON and would give you an idea:
    https://simplejson.readthedocs.org/en/latest/
    https://docs.python.org/2/library/json.html
    http://pymotw.com/2/json/

    ReplyDelete
  7. Dear Peter
    I know that web sites,but i mean is not that; i mean is through suricata get post data and save post data to eve.log, can you clearly understanding ?

    ReplyDelete
  8. Ok. Then I would suggest asking that question on our OISF mailing list. I am sure you will get a lot more help there from a that point of view.
    https://lists.openinfosecfoundation.org/mailman/listinfo

    ReplyDelete