[Oisf-users] Suricata response events

Cooper F. Nelson cnelson at ucsd.edu
Tue Jun 28 20:43:25 UTC 2016


I don't think this was ever formally added as a feature:

> https://redmine.openinfosecfoundation.org/issues/120

Btw, suricata can log full-packet capture, up to the stream depth.  TLS
sessions are truncated past the handshake.  Assuming you have the
storage, you could just log everything and extract the data you want
later by only searching the pcap files from that specific time range.

-Coop

On 6/28/2016 1:25 PM, jordon.carpenter at rooksecurity.com wrote:
> Thanks for the input. Im not looking specifically for SQL events, but more
> of, if an alert fires log the session for the 60 or so seconds. I like the
> idea of moloch/pigsty combo, but just adding the tag
> `tag:session,60,seconds` to a signature would be a lot easier for me.
> Anyone know how to implement once you tag a signature? There is no
> references in the suricata config file.
> 
> 
> 
> 
> *Jordon Carpenter*
> Rook Security <https://www.rooksecurity.com/>
> *Anticipate, Manage, & Eliminate Threats*
> 
> O: 888.712.9531 x734
> E: jordon.carpenter at rooksecurity.com
> 
> [image: rookconsulting] <https://www.facebook.com/rookconsulting>    [image:
> rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
> <https://www.linkedin.com/company/rook-security>
> 
> [image: Seconds Matter]
> <https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a>
> 
> This e-mail may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply e-mail and delete all copies of this message
> 
> [image: Powered by Sigstr]
> <https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark>
> 
> 
> On June 16, 2016 at 5:33:09 PM, Cooper F. Nelson (cnelson at ucsd.edu) wrote:
> 
> Actually, that's an excellent question.
> 
> Jordon, if you just want the HTTP server response code (i.e. 200, 404,
> etc), you can do that easily with the http logging function.
> 
> Just use the 'custom' option
> 
>> custom: yes # enabled the custom logging format (defined by customformat)
>> customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
> %s %B %a:%p -> %A:%P"
> 
> The '%s' format string is the response code.
> 
> More details here:
> 
>>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging
> 
> Given the context (SQL injection attempt) I'm assuming you are looking
> for actual data leakage. I'll note that the ET ruleset ships with some
> signatures to look for SQL in HTTP server responses, but these aren't
> guaranteed to work in all cases. Especially for blind SQL injection.
> 
> -Coop
> 
> On 6/16/2016 2:21q PM, Javier Nieto wrote:
>> As far as I know the HTTP server response could be logged in the json
> file
>> easily. I don't remember if I did something special, I worked with
> Suricata
>> some time ago...
>>
>> My environment was:
>>
>> Suricata --> json --> [ELK - Elasticsearch API] <-- python script
>>
>> So I configured a python script to check the following via Elasticsearch
>> API
>>
>>>> 10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me
> an
>> email with the attacker's source IP.
>>
>> I wasn´t interested in detecting SQLi attacks, just interested in
>> successfull SQLi attacks.
>>
>> I don´t know if this is what you are looking for...
> 
> 


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160628/e3a74f25/attachment-0002.sig>


More information about the Oisf-users mailing list