<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Thanks for the input. Im not looking specifically for SQL events, but more of, if an alert fires log the session for the 60 or so seconds. I like the idea of moloch/pigsty combo, but just adding the tag `tag:session,60,seconds` to a signature would be a lot easier for me. Anyone know how to implement once you tag a signature? There is no references in the suricata config file. </div> <div><br></div><div><br></div><br> <div id="bloop_sign_1467145033637542912" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px"><div style="font-size:12.8000001907349px;color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:14px;font-family:roboto,sans-serif"><strong><br></strong></span></div><div style="font-size:12.8000001907349px;color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:14px;font-family:roboto,sans-serif"><strong>Jordon Carpenter</strong></span><br style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:12px;font-family:roboto,sans-serif"><a href="https://www.rooksecurity.com/" style="color:rgb(0,0,0)">Rook Security</a></span><br style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:12px;font-family:roboto,sans-serif"><em>Anticipate, Manage, & Eliminate Threats</em></span><br style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><br style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:12px;font-family:roboto,sans-serif">O: 888.712.9531 x734</span><br style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><span style="color:rgb(0,0,0);line-height:normal;font-size:12px;font-family:calibri,sans-serif"><span style="font-family:roboto,sans-serif">E: <a href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@rooksecurity.com</a></span><br><br><span style="font-family:roboto,sans-serif"><a href="https://www.facebook.com/rookconsulting"><img src="cid:76BE6680-795D-4FF4-B8BD-25D22378BBEE" border="0" alt="rookconsulting"></a> <a href="https://twitter.com/rooksecurity"><img src="cid:88C6DA4A-1717-44EF-AA59-D9266233607D" border="0" alt="rooksecurity"></a> <a href="https://www.linkedin.com/company/rook-security"><img src="cid:D5F0C29C-7F46-4AB3-94C5-F835DC22B650" border="0" alt="Rook LinkedIn"></a></span><br><br><span style="font-family:roboto,sans-serif"><a href="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a"><img src="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/img" border="0" alt="Seconds Matter" style="color: blue; font-family: Helvetica;"></a></span><br><br><span style="font-size:10px"><span style="font-family:roboto,sans-serif">This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message</span><br></span><br></span><div id="watermark" style="color:rgb(0,0,0);font-family:Times;font-size:medium;line-height:normal"><a href="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark" style="text-decoration:none;outline:0px!important"><img src="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark_img" alt="Powered by Sigstr" border="0" style="color: rgb(99, 99, 99); font-family: Helvetica; font-size: 11px;"></a></div></div><p style="margin:0px;font-size:12px;line-height:normal;font-family:Helvetica"></p></div></div> <br><p class="airmail_on">On June 16, 2016 at 5:33:09 PM, Cooper F. Nelson (<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>Actually, that's an excellent question.
<br>
<br>Jordon, if you just want the HTTP server response code (i.e. 200, 404,
<br>etc), you can do that easily with the http logging function.
<br>
<br>Just use the 'custom' option
<br>
<br>> custom: yes # enabled the custom logging format (defined by customformat)
<br>> customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
<br>
<br>The '%s' format string is the response code.
<br>
<br>More details here:
<br>
<br>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging</a>
<br>
<br>Given the context (SQL injection attempt) I'm assuming you are looking
<br>for actual data leakage. I'll note that the ET ruleset ships with some
<br>signatures to look for SQL in HTTP server responses, but these aren't
<br>guaranteed to work in all cases. Especially for blind SQL injection.
<br>
<br>-Coop
<br>
<br>On 6/16/2016 2:21q PM, Javier Nieto wrote:
<br>> As far as I know the HTTP server response could be logged in the json file
<br>> easily. I don't remember if I did something special, I worked with Suricata
<br>> some time ago...
<br>>
<br>> My environment was:
<br>>
<br>> Suricata --> json --> [ELK - Elasticsearch API] <-- python script
<br>>
<br>> So I configured a python script to check the following via Elasticsearch
<br>> API
<br>>
<br>>> >10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me an
<br>> email with the attacker's source IP.
<br>>
<br>> I wasn´t interested in detecting SQLi attacks, just interested in
<br>> successfull SQLi attacks.
<br>>
<br>> I don´t know if this is what you are looking for...
<br>
<br>
<br>--
<br>Cooper Nelson
<br>Network Security Analyst
<br>UCSD ITS Security Team
<br><a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042
<br>
<br></div></div></span></blockquote></body></html>