[Oisf-devel] filemd5?

Victor Julien victor at inliniac.net
Thu Feb 16 20:17:29 UTC 2012


On 02/16/2012 08:55 PM, Martin Holste wrote:
>> Make sense? Lost some time trying to validate the entire log file
>> against jparse/edit-json, which would reject it. Then I realized the log
>> file doesn't have to be a valid json doc, just the individual lines need
>> to be valid json records. Agreed?
> 
> Yep, exactly.  Also, to be clear, there's no chance to get the HTTP
> host/URI in there because this is a stream, not a HTTP record, right?
> Also, any chance the JSON can include the location of the file on
> disk, if extracted?
> 

You're killing me Martin :)

{ "id": 12, "timestamp": "10/02/2009-21:35:20.642940", "srcip":
"58.221.254.104", "dstip": "192.168.2.7", "protocol": 6, "sp": 80, "dp":
1087, "http_uri": "/360.jpg", "http_host":
"888888888888888888888.kmip.net", "filename": "/360.jpg", "magic":
"ASCII text, with CRLF line terminators", "state": "CLOSED", "md5":
"b435f72772027d70a28d7f21bbc9479a", "size": 910 }
{ "id": 13, "timestamp": "10/02/2009-21:35:31.223162", "pcap_pkt_num":
8238, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
"sp": 80, "dp": 1091, "http_uri": "/ww/aa9.exe", "http_host":
"vcrvcr.3322.org", "filename": "/ww/aa9.exe", "magic": "PE32 executable
for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED", "md5":
"b8b2e795a5102d4bf3294c827e064c48", "size": 23682 }
{ "id": 14, "timestamp": "10/02/2009-21:35:41.127509", "pcap_pkt_num":
9151, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
"sp": 80, "dp": 1091, "http_uri": "/ww/aa10.exe", "http_host":
"vcrvcr.3322.org", "filename": "/ww/aa10.exe", "magic": "PE32 executable
for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED", "md5":
"7c24f8920dfa6f5f467e6c4ae0774586", "size": 23660 }

The "id" field relates to the file id on disk, so 14 relates to
/var/log/suricata/files/file.14. Is that good enough?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list