[Oisf-devel] filemd5?
Martin Holste
mcholste at gmail.com
Thu Feb 16 20:23:44 UTC 2012
PERFECT! There are going to be some very happy toolsmiths and NSM
analysts out there, myself among them. Nice work, we need to bore you
more often!
On Thu, Feb 16, 2012 at 2:17 PM, Victor Julien <victor at inliniac.net> wrote:
> On 02/16/2012 08:55 PM, Martin Holste wrote:
>>> Make sense? Lost some time trying to validate the entire log file
>>> against jparse/edit-json, which would reject it. Then I realized the log
>>> file doesn't have to be a valid json doc, just the individual lines need
>>> to be valid json records. Agreed?
>>
>> Yep, exactly. Also, to be clear, there's no chance to get the HTTP
>> host/URI in there because this is a stream, not a HTTP record, right?
>> Also, any chance the JSON can include the location of the file on
>> disk, if extracted?
>>
>
> You're killing me Martin :)
>
> { "id": 12, "timestamp": "10/02/2009-21:35:20.642940", "srcip":
> "58.221.254.104", "dstip": "192.168.2.7", "protocol": 6, "sp": 80, "dp":
> 1087, "http_uri": "/360.jpg", "http_host":
> "888888888888888888888.kmip.net", "filename": "/360.jpg", "magic":
> "ASCII text, with CRLF line terminators", "state": "CLOSED", "md5":
> "b435f72772027d70a28d7f21bbc9479a", "size": 910 }
> { "id": 13, "timestamp": "10/02/2009-21:35:31.223162", "pcap_pkt_num":
> 8238, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
> "sp": 80, "dp": 1091, "http_uri": "/ww/aa9.exe", "http_host":
> "vcrvcr.3322.org", "filename": "/ww/aa9.exe", "magic": "PE32 executable
> for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED", "md5":
> "b8b2e795a5102d4bf3294c827e064c48", "size": 23682 }
> { "id": 14, "timestamp": "10/02/2009-21:35:41.127509", "pcap_pkt_num":
> 9151, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
> "sp": 80, "dp": 1091, "http_uri": "/ww/aa10.exe", "http_host":
> "vcrvcr.3322.org", "filename": "/ww/aa10.exe", "magic": "PE32 executable
> for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED", "md5":
> "7c24f8920dfa6f5f467e6c4ae0774586", "size": 23660 }
>
> The "id" field relates to the file id on disk, so 14 relates to
> /var/log/suricata/files/file.14. Is that good enough?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
More information about the Oisf-devel
mailing list