<div dir="ltr">Please read through <a href="https://github.com/John-Lin/pigrelay">https://github.com/John-Lin/pigrelay</a>. The snort integration is just following a snort socket; the same effect can be had by continuous integration of eve.json (trivial to process since, you know, its in json format...) and just processing inside of pigrelay. Handoff between pigrelay and ryu is even possible using partial extraction from eve alerts. Unfortunately, I have no test environment to tinker with pigrelay and ryu, so t his is really about the only guidance I can offer. Someone else may have modified pigrelay, or have some insight into how it can be done. Doesn't look like it should be too difficult however, assuming you can hax python.<div><br></div><div>Erik</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 4, 2019 at 11:31 PM Priyatham Ganta <<a href="mailto:gantapritham4@gmail.com">gantapritham4@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Erik,<div><br></div><div>Can you give more details on this parser and any url on how to use it.</div><div><br></div><div>Thanks</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 3 Dec 2019 at 04:08, erik clark <<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Phone message, sorry for spam. If you are talking about ryu from openflow, looks it it already has a from_jsondict option. Nearly everything has a json parser nowadays<div dir="auto"><br></div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 3, 2019, 7:00 AM <<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send Oisf-users mailing list submissions to<br>
<a href="mailto:oisf-users@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:oisf-users-owner@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">oisf-users-owner@lists.openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Question on eve.json file (Jason Ish)<br>
2. Suricata-Ryu integration (Priyatham Ganta)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 2 Dec 2019 12:53:19 -0600<br>
From: Jason Ish <<a href="mailto:jason.ish@oisf.net" rel="noreferrer" target="_blank">jason.ish@oisf.net</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Question on eve.json file<br>
Message-ID: <<a href="mailto:01e689d1-5ffb-3e59-34b0-48a53c3c5a1a@oisf.net" rel="noreferrer" target="_blank">01e689d1-5ffb-3e59-34b0-48a53c3c5a1a@oisf.net</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
Hi Leonard,<br>
<br>
On 2019-12-01 10:38 p.m., Leonard Jacobs wrote:<br>
> I have noticed that several log items are nested under alert. In<br>
> particular, signature and action are nested under alert. Is there a way<br>
> to not have those log items nested under alert with eve.json file?<br>
<br>
No, there is a not way to do this with Suricata. Post-processing tools<br>
like Logstash could likeley be configured to make the transformation though.<br>
<br>
Eve is a generic format with mostly generic event parameters at the top<br>
level. Anything event_type specific is placed under the object for that<br>
event_type.<br>
<br>
Jason<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 2 Dec 2019 15:47:22 -0800<br>
From: Priyatham Ganta <<a href="mailto:gantapritham4@gmail.com" rel="noreferrer" target="_blank">gantapritham4@gmail.com</a>><br>
To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: [Oisf-users] Suricata-Ryu integration<br>
Message-ID:<br>
<CABXPuZ93NVx8sd3=<a href="mailto:yktw2wgH--973G60COXztvqPFL_g7T233g@mail.gmail.com" rel="noreferrer" target="_blank">yktw2wgH--973G60COXztvqPFL_g7T233g@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
I want to integrate Suricata with the Ryu controller and I checked that<br>
there is no built-in library for Suricata in the Ryu controller.<br>
<br>
I was thinking if I can convert Suricata messages to snort messages and use<br>
the same library or I want to know if there is any other way I can<br>
integrate Suricata with the Ryu controller to parse the alerts generated by<br>
Suricata.<br>
<br>
Thanks<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191202/a9362e96/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191202/a9362e96/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@lists.openinfosecfoundation.org" rel="noreferrer" target="_blank">Oisf-users@lists.openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Oisf-users Digest, Vol 121, Issue 2<br>
******************************************<br>
</blockquote></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</blockquote></div>