[Oisf-users] Suricata response events

Cooper F. Nelson cnelson at ucsd.edu
Thu Jun 16 21:33:01 UTC 2016

Actually, that's an excellent question.

Jordon, if you just want the HTTP server response code (i.e. 200, 404,
etc), you can do that easily with the http logging function.

Just use the 'custom' option

>       custom: yes       # enabled the custom logging format (defined by customformat)
>       customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"

The '%s' format string is the response code.

More details here:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging

Given the context (SQL injection attempt) I'm assuming you are looking
for actual data leakage.  I'll note that the ET ruleset ships with some
signatures to look for SQL in HTTP server responses, but these aren't
guaranteed to work in all cases.  Especially for blind SQL injection.


On 6/16/2016 2:21q PM, Javier Nieto wrote:
> As far as I know the HTTP server response could be logged in the json file
> easily. I don't remember if I did something special, I worked with Suricata
> some time ago...
> My environment was:
> Suricata --> json --> [ELK - Elasticsearch API] <-- python script
> So I configured a python script to check the following via Elasticsearch
>> >10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me an
> email with the attacker's source IP.
> I wasn´t interested in detecting SQLi attacks, just interested in
> successfull SQLi attacks.
> I don´t know if this is what you are looking for...

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160616/6e264092/attachment-0002.sig>

More information about the Oisf-users mailing list