[Oisf-users] Suricata response events

Javier Nieto jnietotn at gmail.com
Thu Jun 16 21:21:39 UTC 2016


As far as I know the HTTP server response could be logged in the json file
easily. I don't remember if I did something special, I worked with Suricata
some time ago...

My environment was:

Suricata --> json --> [ELK - Elasticsearch API] <-- python script

So I configured a python script to check the following via Elasticsearch
API

>10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me an
email with the attacker's source IP.

I wasn´t interested in detecting SQLi attacks, just interested in
successfull SQLi attacks.

I don´t know if this is what you are looking for...



On Thu, Jun 16, 2016 at 10:32 PM Duane Howard <duane.security at gmail.com>
wrote:

> shameless plug for stenographer as a solution for FPC here too:
> https://github.com/google/stenographer
>
> for a short term hack you could also use the tag:session,60,seconds or
> similar to get the full stream content for rules you want?
>
> On Wed, Jun 15, 2016 at 12:05 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
>
>> I never got around to doing it, but Moloch use ELK as it's front end, so
>> it's easy to integrate it with other tools.  You can build queries via a
>> single http request.
>>
>> So something you could do would be to have a cron job watch the text
>> logs for events, scrape events you are interested in, turn them in a
>> moloch url and then email them to a SOC handler.  Then they can see the
>> alert and then just click the link to see IP conversation in context.
>>
>> -Coop
>>
>> On 6/15/2016 11:01 AM, Jordon Carpenter wrote:
>> > Awesome, I will check that out. Thanks!
>> >
>> >
>> > *Jordon Carpenter*
>> > Rook Security <https://www.rooksecurity.com/>
>> > *Anticipate, Manage, & Eliminate Threats*
>>
>>
>> --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160616/37cfb2a9/attachment-0002.html>


More information about the Oisf-users mailing list