<div dir="ltr">As far as I know the HTTP server response could be logged in the json file easily. I don't remember if I did something special, I worked with Suricata some time ago...<div><br></div><div>My environment was:</div><div><br></div><div>Suricata --> json --> [ELK - Elasticsearch API] <-- python script</div><div><br></div><div>So I configured a python script to check the following via Elasticsearch API </div><div><br></div><div>>10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me an email with the attacker's source IP.</div><div><br></div><div>I wasn´t interested in detecting SQLi attacks, just interested in successfull SQLi attacks.</div><div><br></div><div>I don´t know if this is what you are looking for...</div><div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 16, 2016 at 10:32 PM Duane Howard <<a href="mailto:duane.security@gmail.com">duane.security@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">shameless plug for stenographer as a solution for FPC here too: <a href="https://github.com/google/stenographer" target="_blank">https://github.com/google/stenographer</a><div><br></div><div>for a short term hack you could also use the tag:session,60,seconds or similar to get the full stream content for rules you want?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 15, 2016 at 12:05 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I never got around to doing it, but Moloch use ELK as it's front end, so<br>
it's easy to integrate it with other tools. You can build queries via a<br>
single http request.<br>
<br>
So something you could do would be to have a cron job watch the text<br>
logs for events, scrape events you are interested in, turn them in a<br>
moloch url and then email them to a SOC handler. Then they can see the<br>
alert and then just click the link to see IP conversation in context.<br>
<br>
-Coop<br>
<span><br>
On 6/15/2016 11:01 AM, Jordon Carpenter wrote:<br>
> Awesome, I will check that out. Thanks!<br>
><br>
><br>
</span><div><div>> *Jordon Carpenter*<br>
> Rook Security <<a href="https://www.rooksecurity.com/" rel="noreferrer" target="_blank">https://www.rooksecurity.com/</a>><br>
> *Anticipate, Manage, & Eliminate Threats*<br>
<br>
<br>
--<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
<br>
</div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br></blockquote></div><br></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></blockquote></div>