<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi there,<br>
<br>
we're in a progress with the Feature #120 in GreyCortex. And there
is another feature in our roadmap: to perform some action or, more
generally, to run a custom script (Lua?) either at the time of the
event or at the end of the flow. I think, this is what was Jordon
originally asking for... am I right?<span
class="repository-meta-content"><span itemprop="about"><br>
<br>
</span></span><span class="repository-meta-content"><span
itemprop="about"><span class="repository-meta-content"><span
itemprop="about">However, we think to embed this into our <span
class="repository-meta-content"><span itemprop="about">spooler
(like Barnyard2) rather then to Suricata itself - it is
much cleaner. </span></span>The question should
probably go to the devel forum, but </span></span>is there
a place (hook or whatever) how to run such scripts from
Suricata? There are many other open questions as which thread
should run it, etc.<br>
<br>
Also, Suricata can't extract data from an arbitrary protocol </span></span><span
class="repository-meta-content"><span itemprop="about"><span
class="repository-meta-content"><span itemprop="about">at the
moment</span></span>. This may be a simple task for some
unencrypted text-based protocols - which database do you use,
btw? The problem is, there are many more out there as Oracle or
Postgres, they are </span></span><span
class="repository-meta-content"><span itemprop="about"><span
class="repository-meta-content"><span itemprop="about">somehow
structured, </span></span>binary and encrypted even on
localhost by default. It seems extracting the query won't be
impossible, but in case of the result set, the pcap looks as the
best option... just after analyzing the DB logs. If you have the
access, logs are the best way for you.</span></span><br>
<br>
Petr<br>
<br>
<br>
<div class="moz-cite-prefix">On 28.6.2016 22:43, Cooper F. Nelson
wrote:<br>
</div>
<blockquote cite="mid:5772E16D.5060102@ucsd.edu" type="cite">
<pre wrap="">I don't think this was ever formally added as a feature:
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/issues/120">https://redmine.openinfosecfoundation.org/issues/120</a>
</pre>
</blockquote>
<pre wrap="">
Btw, suricata can log full-packet capture, up to the stream depth. TLS
sessions are truncated past the handshake. Assuming you have the
storage, you could just log everything and extract the data you want
later by only searching the pcap files from that specific time range.
-Coop
On 6/28/2016 1:25 PM, <a class="moz-txt-link-abbreviated" href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@rooksecurity.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Thanks for the input. Im not looking specifically for SQL events, but more
of, if an alert fires log the session for the 60 or so seconds. I like the
idea of moloch/pigsty combo, but just adding the tag
`tag:session,60,seconds` to a signature would be a lot easier for me.
Anyone know how to implement once you tag a signature? There is no
references in the suricata config file.
*Jordon Carpenter*
Rook Security <a class="moz-txt-link-rfc2396E" href="https://www.rooksecurity.com/"><https://www.rooksecurity.com/></a>
*Anticipate, Manage, & Eliminate Threats*
O: 888.712.9531 x734
E: <a class="moz-txt-link-abbreviated" href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@rooksecurity.com</a>
[image: rookconsulting] <a class="moz-txt-link-rfc2396E" href="https://www.facebook.com/rookconsulting"><https://www.facebook.com/rookconsulting></a> [image:
rooksecurity] <a class="moz-txt-link-rfc2396E" href="https://twitter.com/rooksecurity"><https://twitter.com/rooksecurity></a> [image: Rook LinkedIn]
<a class="moz-txt-link-rfc2396E" href="https://www.linkedin.com/company/rook-security"><https://www.linkedin.com/company/rook-security></a>
[image: Seconds Matter]
<a class="moz-txt-link-rfc2396E" href="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a"><https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a></a>
This e-mail may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply e-mail and delete all copies of this message
[image: Powered by Sigstr]
<a class="moz-txt-link-rfc2396E" href="https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark"><https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark></a>
On June 16, 2016 at 5:33:09 PM, Cooper F. Nelson (<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>) wrote:
Actually, that's an excellent question.
Jordon, if you just want the HTTP server response code (i.e. 200, 404,
etc), you can do that easily with the http logging function.
Just use the 'custom' option
</pre>
<blockquote type="cite">
<pre wrap="">custom: yes # enabled the custom logging format (defined by customformat)
customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
</pre>
</blockquote>
<pre wrap="">%s %B %a:%p -> %A:%P"
The '%s' format string is the response code.
More details here:
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging</a>
Given the context (SQL injection attempt) I'm assuming you are looking
for actual data leakage. I'll note that the ET ruleset ships with some
signatures to look for SQL in HTTP server responses, but these aren't
guaranteed to work in all cases. Especially for blind SQL injection.
-Coop
On 6/16/2016 2:21q PM, Javier Nieto wrote:
</pre>
<blockquote type="cite">
<pre wrap="">As far as I know the HTTP server response could be logged in the json
</pre>
</blockquote>
<pre wrap="">file
</pre>
<blockquote type="cite">
<pre wrap="">easily. I don't remember if I did something special, I worked with
</pre>
</blockquote>
<pre wrap="">Suricata
</pre>
<blockquote type="cite">
<pre wrap="">some time ago...
My environment was:
Suricata --> json --> [ELK - Elasticsearch API] <-- python script
So I configured a python script to check the following via Elasticsearch
API
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">an
</pre>
<blockquote type="cite">
<pre wrap="">email with the attacker's source IP.
I wasn´t interested in detecting SQLi attacks, just interested in
successfull SQLi attacks.
I don´t know if this is what you are looking for...
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Suricata User Conference November 9-11 in Washington, DC: <a class="moz-txt-link-freetext" href="http://oisfevents.net">http://oisfevents.net</a></pre>
</blockquote>
<br>
</body>
</html>