[Oisf-users] how to add field to eve-log output ?

mxs kolo kolomaxes at gmail.com
Mon Aug 1 15:51:19 UTC 2016


 HI all.

Has suricata way to dynamic add field to eve-log output ?
For example, by rule sid:2008584 I can detect p2p packets with "get_peers".
I can view payload and payload_printable in output:
{"timestamp":"2016-08-01T18:37:50.625640+0300",
"flow_id":222168480,
"in_iface":"bond0",
"event_type":"alert",
"src_ip":"X.X.X.X",
"src_port":35783,
"dest_ip":"Y.Y.Y.Y",
"dest_port":6881,
"proto":"UDP",
"alert":{
 "action":"allowed",
  "gid":1,
  "signature_id":2008584,
   "rev":5,
   "signature":"ET P2P BitTorrent DHT get_peers request",
    "category":"Potential Corporate PrivacyViolation",
   "severity":1
},
"payload":"XXXXXXXXXXXXXXXX",
"payload_printable":"d1:ad2:id20:XXXXXXX:info_hash20:XXXXq9:get_peers1:XXX",
"stream":0
}

But I need extract additional  info from payload (info_hash or DHT)
and add this field to output.
Now I have python code for extract hash_info from tcpdump stream, but
I like integrate this process in suricata->elastic flow.
It's would be more easy search in Elastic by DHT, because often
privacy complain contain only date, time and DHT.
It's juts example, probably exists other case when add custom field to
output eve.json would be  helpful.

b.r.
  Maxim Kozin


More information about the Oisf-users mailing list