[Oisf-users] Suricata response events

Petr Chmelar petr.chmelar at greycortex.com
Tue Jun 28 22:02:41 UTC 2016

Hi there,

we're in a progress with the Feature #120 in GreyCortex. And there is 
another feature in our roadmap: to perform some action or, more 
generally, to run a custom script (Lua?) either at the time of the event 
or at the end of the flow. I think, this is what was Jordon originally 
asking for... am I right?

However, we think to embed this into our spooler (like Barnyard2) rather 
then to Suricata itself - it is much cleaner. The question should 
probably go to the devel forum, but is there a place (hook or whatever) 
how to run such scripts from Suricata? There are many other open 
questions as which thread should run it, etc.

Also, Suricata can't extract  data from an arbitrary protocol at the 
moment. This may be a simple task for some unencrypted text-based 
protocols - which database do you use, btw? The problem is, there are 
many more out there as Oracle or Postgres, they are somehow structured, 
binary and encrypted even on localhost by default. It seems extracting 
the query won't be impossible, but in case of the result set, the pcap 
looks as the best option... just after analyzing the DB logs. If you 
have the access, logs are the best way for you.


On 28.6.2016 22:43, Cooper F. Nelson wrote:
> I don't think this was ever formally added as a feature:
>> https://redmine.openinfosecfoundation.org/issues/120
> Btw, suricata can log full-packet capture, up to the stream depth.  TLS
> sessions are truncated past the handshake.  Assuming you have the
> storage, you could just log everything and extract the data you want
> later by only searching the pcap files from that specific time range.
> -Coop
> On 6/28/2016 1:25 PM, jordon.carpenter at rooksecurity.com wrote:
>> Thanks for the input. Im not looking specifically for SQL events, but more
>> of, if an alert fires log the session for the 60 or so seconds. I like the
>> idea of moloch/pigsty combo, but just adding the tag
>> `tag:session,60,seconds` to a signature would be a lot easier for me.
>> Anyone know how to implement once you tag a signature? There is no
>> references in the suricata config file.
>> *Jordon Carpenter*
>> Rook Security <https://www.rooksecurity.com/>
>> *Anticipate, Manage, & Eliminate Threats*
>> O: 888.712.9531 x734
>> E: jordon.carpenter at rooksecurity.com
>> [image: rookconsulting] <https://www.facebook.com/rookconsulting>    [image:
>> rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
>> <https://www.linkedin.com/company/rook-security>
>> [image: Seconds Matter]
>> <https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a>
>> This e-mail may contain confidential and privileged material for the sole
>> use of the intended recipient. Any review, use, distribution or disclosure
>> by others is strictly prohibited. If you are not the intended recipient (or
>> authorized to receive for the recipient), please contact the sender by
>> reply e-mail and delete all copies of this message
>> [image: Powered by Sigstr]
>> <https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark>
>> On June 16, 2016 at 5:33:09 PM, Cooper F. Nelson (cnelson at ucsd.edu) wrote:
>> Actually, that's an excellent question.
>> Jordon, if you just want the HTTP server response code (i.e. 200, 404,
>> etc), you can do that easily with the http logging function.
>> Just use the 'custom' option
>>> custom: yes # enabled the custom logging format (defined by customformat)
>>> customformat: "%{%m/%d/%Y-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u
>> %s %B %a:%p -> %A:%P"
>> The '%s' format string is the response code.
>> More details here:
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging
>> Given the context (SQL injection attempt) I'm assuming you are looking
>> for actual data leakage. I'll note that the ET ruleset ships with some
>> signatures to look for SQL in HTTP server responses, but these aren't
>> guaranteed to work in all cases. Especially for blind SQL injection.
>> -Coop
>> On 6/16/2016 2:21q PM, Javier Nieto wrote:
>>> As far as I know the HTTP server response could be logged in the json
>> file
>>> easily. I don't remember if I did something special, I worked with
>> Suricata
>>> some time ago...
>>> My environment was:
>>> Suricata --> json --> [ELK - Elasticsearch API] <-- python script
>>> So I configured a python script to check the following via Elasticsearch
>>> API
>>>>> 10 *SQL Injection* alerts & <30 sec & HTTP reponse == 200 --> send me
>> an
>>> email with the attacker's source IP.
>>> I wasn´t interested in detecting SQLi attacks, just interested in
>>> successfull SQLi attacks.
>>> I don´t know if this is what you are looking for...
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160629/3e687b9b/attachment-0002.html>

More information about the Oisf-users mailing list