[Oisf-devel] filemd5?
Marcos Rodriguez
marcos.e.rodriguez at gmail.com
Thu Feb 16 18:46:42 UTC 2012
I'm really happy you took that detour, Victor! We're doing something like
that with Python, along with checks to a blacklist of md5's. Would love to
have this in Suricata!
marcos
On Thu, Feb 16, 2012 at 1:28 PM, James Pleger <jpleger at gmail.com> wrote:
> I could also help writing some example apps and/or documentation on
> methods to use it.
>
>
> On Thu, Feb 16, 2012 at 1:20 PM, Martin Holste <mcholste at gmail.com> wrote:
>
>> The first one: a growing single file or socket of JSON lines which a
>> script can read from and execute actions based on. I'd be happy to
>> write such a script for plugins like CIF, Virustotal and malwr.com.
>>
>> On Thu, Feb 16, 2012 at 12:17 PM, Victor Julien <victor at inliniac.net>
>> wrote:
>> > On 02/16/2012 05:59 PM, Martin Holste wrote:
>> >> Regarding the Virustotal stuff, absolutely, though I don't think that
>> >> should be OISF's job to code. That's a great place to put a script to
>> >> asynchronously handle the output from Suricata. That's why a JSON
>> >> output would be perfect for piping to something that can do all of the
>> >> heavy-lifting and custom stuff in a script. CIF, Virustotal, Cuckoo,
>> >> DLP--those are all easy tasks if you've got an ever-growing JSON
>> >> stream of md5's.
>> >
>> > So this json stream would be a single log file / unix socket
>> > continuously updated with the latest records? You script would just tail
>> > it and do it's business?
>> >
>> > Or are you looking for per file json files like how we do the .meta
>> > files now?
>> >
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Oisf-devel mailing list
>> > Oisf-devel at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120216/b7a2109f/attachment-0002.html>
More information about the Oisf-devel
mailing list