[Oisf-devel] filemd5?

Victor Julien victor at inliniac.net
Thu Feb 16 18:56:54 UTC 2012 

How about a file full of:

{
"id": 3,
"timestamp": "10/02/2009-21:34:21.470806",
"pcap_pkt_num": 3051,
"srcip": "61.191.61.40",
"dstip": "192.168.2.7",
"protocol": 6,
"sp": 80,
"dp": 1091,
"filename": "/ww/aa1.exe",
"magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
"state": "CLOSED",
"md5": "c48f83c92573460e08e258fbd3a189e0",
"size": 29200,
}
{
"id": 4,
"timestamp": "10/02/2009-21:34:29.313231",
"pcap_pkt_num": 3994,
"srcip": "61.191.61.40",
"dstip": "192.168.2.7",
"protocol": 6,
"sp": 80,
"dp": 1091,
"filename": "/ww/aa2.exe",
"magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
"state": "CLOSED",
"md5": "323f7705b0e297414e8c3aa37dfcf48a",
"size": 30224,
}

On 02/16/2012 07:20 PM, Martin Holste wrote:
> The first one: a growing single file or socket of JSON lines which a
> script can read from and execute actions based on.  I'd be happy to
> write such a script for plugins like CIF, Virustotal and malwr.com.
> 
> On Thu, Feb 16, 2012 at 12:17 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 02/16/2012 05:59 PM, Martin Holste wrote:
>>> Regarding the Virustotal stuff, absolutely, though I don't think that
>>> should be OISF's job to code.  That's a great place to put a script to
>>> asynchronously handle the output from Suricata.  That's why a JSON
>>> output would be perfect for piping to something that can do all of the
>>> heavy-lifting and custom stuff in a script.  CIF, Virustotal, Cuckoo,
>>> DLP--those are all easy tasks if you've got an ever-growing JSON
>>> stream of md5's.
>>
>> So this json stream would be a single log file / unix socket
>> continuously updated with the latest records? You script would just tail
>> it and do it's business?
>>
>> Or are you looking for per file json files like how we do the .meta
>> files now?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list