[Oisf-users] eve.json parser

conf file conf.files at gmail.com
Thu Feb 11 19:30:51 UTC 2016


List,

I am in the process of writing a parser for the eve.json log. So far here's
what I've accomplished:

1) Create PCAPs from the packet field
2) Create CEF formatted events to forward off to a SIEM

All of the above is working as expected and works quite well. What I would
like to do in addition is attach the payload field to the already created
PCAP. Since the payload field contains no header information I would like
to pull the headers off of the packet field and reuse them with the payload
field. Meaning, I plan to use unpack to pull ~60B off of the packet and
insert it as a new packet into the PCAP. For reference, here's the PCAP
format:

Global PCAP header: 24 bytes (0-24) (magic bytes, PCAP version, snap len,
link type)
PCAP header: 16 bytes (25-40) -- timestamp in epoch (4B), microseconds(4B),
packet len (4B), packet len (4B)
Ethernet, ip, tcp/udp/L5, data (JSON packet field)
PCAP header: 16 bytes (25-40) -- timestamp in epoch (4B), microseconds(4B),
packet len (4B), packet len (4B)
Ethernet, ip, tcp/udp/L5, data (headers from the packet field + the payload
field)
...

I have uploaded the script here:http://www.magikman.net/parseLog.txt

I would really appreciate input from the list. Specifically I am looking
for ideas / guidance on how best to make use of the payload data. Also,
what data can I expect to find in the payload field?


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160211/c507bc7a/attachment.html>


More information about the Oisf-users mailing list