[Oisf-devel] filemd5?

Josh White josh at securemind.org
Thu Feb 16 19:37:07 UTC 2012 

That's perfect, and yes if a field is unknown set it as "unknown". I
allready have scripts for VirusTotal and few others to log to MongoDB, if
we had a file/or socket containing full JSON info on the extracted file
then we can let the DB do the correlation.

On Thu, Feb 16, 2012 at 1:56 PM, Victor Julien <victor at inliniac.net> wrote:

> How about a file full of:
>
> {
> "id": 3,
> "timestamp": "10/02/2009-21:34:21.470806",
> "pcap_pkt_num": 3051,
> "srcip": "61.191.61.40",
> "dstip": "192.168.2.7",
> "protocol": 6,
> "sp": 80,
> "dp": 1091,
> "filename": "/ww/aa1.exe",
> "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
> "state": "CLOSED",
> "md5": "c48f83c92573460e08e258fbd3a189e0",
> "size": 29200,
> }
> {
> "id": 4,
> "timestamp": "10/02/2009-21:34:29.313231",
> "pcap_pkt_num": 3994,
> "srcip": "61.191.61.40",
> "dstip": "192.168.2.7",
> "protocol": 6,
> "sp": 80,
> "dp": 1091,
> "filename": "/ww/aa2.exe",
> "magic": "PE32 executable for MS Windows (GUI) Intel 80386 32-bit",
> "state": "CLOSED",
> "md5": "323f7705b0e297414e8c3aa37dfcf48a",
> "size": 30224,
> }
>
> On 02/16/2012 07:20 PM, Martin Holste wrote:
> > The first one: a growing single file or socket of JSON lines which a
> > script can read from and execute actions based on.  I'd be happy to
> > write such a script for plugins like CIF, Virustotal and malwr.com.
> >
> > On Thu, Feb 16, 2012 at 12:17 PM, Victor Julien <victor at inliniac.net>
> wrote:
> >> On 02/16/2012 05:59 PM, Martin Holste wrote:
> >>> Regarding the Virustotal stuff, absolutely, though I don't think that
> >>> should be OISF's job to code.  That's a great place to put a script to
> >>> asynchronously handle the output from Suricata.  That's why a JSON
> >>> output would be perfect for piping to something that can do all of the
> >>> heavy-lifting and custom stuff in a script.  CIF, Virustotal, Cuckoo,
> >>> DLP--those are all easy tasks if you've got an ever-growing JSON
> >>> stream of md5's.
> >>
> >> So this json stream would be a single log file / unix socket
> >> continuously updated with the latest records? You script would just tail
> >> it and do it's business?
> >>
> >> Or are you looking for per file json files like how we do the .meta
> >> files now?
> >>
> >> --
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Oisf-devel mailing list
> >> Oisf-devel at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120216/5cfe2b40/attachment-0002.html>

More information about the Oisf-devel mailing list