[Oisf-devel] filemd5?

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Feb 16 19:01:26 UTC 2012 

Is it possible to get Host header and query string in there? Sometimes
the badness comes from /?<hex string> which would just show up as
filename "/". It makes matching things to the HTTP log rather hard ...

Best Wishes,
Chris

On 16/02/12 18:56, Victor Julien wrote:
> How about a file full of:
> 
> {
> "id": 3,
> "timestamp": "10/02/2009-21:34:21.470806",
> "pcap_pkt_num": 3051,
> "srcip": "61.191.61.40",
> "dstip": "192.168.2.7",
> "protocol": 6,
> "sp": 80,
> "dp": 1091,
> "filename": "/ww/aa1.exe",
> "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
> "state": "CLOSED",
> "md5": "c48f83c92573460e08e258fbd3a189e0",
> "size": 29200,
> }
> {
> "id": 4,
> "timestamp": "10/02/2009-21:34:29.313231",
> "pcap_pkt_num": 3994,
> "srcip": "61.191.61.40",
> "dstip": "192.168.2.7",
> "protocol": 6,
> "sp": 80,
> "dp": 1091,
> "filename": "/ww/aa2.exe",
> "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
> "state": "CLOSED",
> "md5": "323f7705b0e297414e8c3aa37dfcf48a",
> "size": 30224,
> }
> 
> On 02/16/2012 07:20 PM, Martin Holste wrote:
>> The first one: a growing single file or socket of JSON lines which a
>> script can read from and execute actions based on.  I'd be happy to
>> write such a script for plugins like CIF, Virustotal and malwr.com.
>>
>> On Thu, Feb 16, 2012 at 12:17 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 02/16/2012 05:59 PM, Martin Holste wrote:
>>>> Regarding the Virustotal stuff, absolutely, though I don't think that
>>>> should be OISF's job to code.  That's a great place to put a script to
>>>> asynchronously handle the output from Suricata.  That's why a JSON
>>>> output would be perfect for piping to something that can do all of the
>>>> heavy-lifting and custom stuff in a script.  CIF, Virustotal, Cuckoo,
>>>> DLP--those are all easy tasks if you've got an ever-growing JSON
>>>> stream of md5's.
>>>
>>> So this json stream would be a single log file / unix socket
>>> continuously updated with the latest records? You script would just tail
>>> it and do it's business?
>>>
>>> Or are you looking for per file json files like how we do the .meta
>>> files now?
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
> 
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list