[Oisf-users] Suricata response events

Tue Jun 28 20:25:14 UTC 2016

Thanks for the input. Im not looking specifically for SQL events, but more
of, if an alert fires log the session for the 60 or so seconds. I like the
idea of moloch/pigsty combo, but just adding the tag
`tag:session,60,seconds` to a signature would be a lot easier for me.
Anyone know how to implement once you tag a signature? There is no
references in the suricata config file.

*Jordon Carpenter*
Rook Security <https://www.rooksecurity.com/>
*Anticipate, Manage, & Eliminate Threats*

O: 888.712.9531 x734
E: jordon.carpenter at rooksecurity.com

[image: rookconsulting] <https://www.facebook.com/rookconsulting>    [image:
rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
<https://www.linkedin.com/company/rook-security>

[image: Seconds Matter]
<https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a>

This e-mail may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply e-mail and delete all copies of this message

[image: Powered by Sigstr]
<https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark>

On June 16, 2016 at 5:33:09 PM, Cooper F. Nelson (cnelson at ucsd.edu) wrote:

Actually, that's an excellent question.

Jordon, if you just want the HTTP server response code (i.e. 200, 404,
etc), you can do that easily with the http logging function.

Just use the 'custom' option

> custom: yes # enabled the custom logging format (defined by customformat)
> customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
%s %B %a:%p -> %A:%P"

The '%s' format string is the response code.

More details here:

>
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging

Given the context (SQL injection attempt) I'm assuming you are looking
for actual data leakage. I'll note that the ET ruleset ships with some
signatures to look for SQL in HTTP server responses, but these aren't
guaranteed to work in all cases. Especially for blind SQL injection.

-Coop

On 6/16/2016 2:21q PM, Javier Nieto wrote:
> As far as I know the HTTP server response could be logged in the json
file
> easily. I don't remember if I did something special, I worked with
Suricata
> some time ago...
>
> My environment was:
>
> Suricata --> json --> [ELK - Elasticsearch API] <-- python script
>
> So I configured a python script to check the following via Elasticsearch
> API
>
>> >10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me
an
> email with the attacker's source IP.
>
> I wasn´t interested in detecting SQLi attacks, just interested in
> successfull SQLi attacks.
>
> I don´t know if this is what you are looking for...

-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/730d78fc/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A-FB.png
Type: image/png
Size: 1070 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/730d78fc/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A-TW.png
Type: image/png
Size: 1249 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/730d78fc/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A-LI.png
Type: image/png
Size: 1160 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/730d78fc/attachment-0008.png>