[Oisf-devel] filemd5?
Victor Julien
victor at inliniac.net
Thu Feb 16 19:44:37 UTC 2012
On 02/16/2012 08:37 PM, Josh White wrote:
> That's perfect, and yes if a field is unknown set it as "unknown". I
> allready have scripts for VirusTotal and few others to log to MongoDB, if
> we had a file/or socket containing full JSON info on the extracted file
> then we can let the DB do the correlation.
Printing one record per line now:
{ "id": 11, "timestamp": "10/02/2009-21:35:20.640186", "srcip":
"58.221.254.199", "dstip": "192.168.2.7", "protocol": 6, "sp": 80, "dp":
1089, "filename": "/aa27bg.txt", "magic": "ASCII text, with CRLF line
terminators", "state": "CLOSED", "md5":
"a1d428952536ba3f0efa2489f492c71d", "size": 1393 }
{ "id": 12, "timestamp": "10/02/2009-21:35:20.642940", "srcip":
"58.221.254.104", "dstip": "192.168.2.7", "protocol": 6, "sp": 80, "dp":
1087, "filename": "/360.jpg", "magic": "ASCII text, with CRLF line
terminators", "state": "CLOSED", "md5":
"b435f72772027d70a28d7f21bbc9479a", "size": 910 }
{ "id": 13, "timestamp": "10/02/2009-21:35:31.223162", "pcap_pkt_num":
8238, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
"sp": 80, "dp": 1091, "filename": "/ww/aa9.exe", "magic": "PE32
executable for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED",
"md5": "b8b2e795a5102d4bf3294c827e064c48", "size": 23682 }
Make sense? Lost some time trying to validate the entire log file
against jparse/edit-json, which would reject it. Then I realized the log
file doesn't have to be a valid json doc, just the individual lines need
to be valid json records. Agreed?
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list