[Oisf-users] eve.json logging issues
Adam Witt
AWitt at westernalliancebank.com
Tue Nov 22 15:09:11 UTC 2016
Yeah, it would be a common occurrence to have more than one flowbit-related signature return. I’m currently scripting it myself. Though from an Analyst perspective I disagree that an ideal situation would return all associated flowbits. That could certainly get messy; and border on debugging the matching functionality.
From: erik clark [mailto:philosnef at gmail.com]
Sent: Tuesday, November 22, 2016 6:56 AM
To: Adam Witt
Cc: Jason Ish; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] eve.json logging issues
Flowbits could be messy. You might have more than one flowbit, and in any case, you would ideally like to wrap all the sigs that were associated with a flowbit flow into the alert. That could get very ugly.
I think just getting the sig into the alerts would be great as a start. :)
On Mon, Nov 21, 2016 at 8:01 PM, Adam Witt <AWitt at westernalliancebank.com<mailto:AWitt at westernalliancebank.com>> wrote:
Shortly after sending this, I realized that I asked for two different things. I wouldn't want to log signatures for all set flowbits in a given flow - just signatures which set flowbits that the alerting rule relied on to fire.
--
Adam
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>] On Behalf Of Adam Witt
Sent: Monday, November 21, 2016 5:08 PM
To: Jason Ish; erik clark
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] eve.json logging issues
+1, adding signature logic to alert output would be a nice convenience.
In that same context, would it be interesting to look at optionally appending signature logic related to flowbits as well? Specifically the signatures which 'set' flowbits required for an alert to fire. My initial thinking is the alert log could include both the alert signature, and the logic for flowbit-related signatures which remained set in the 'flowvars' structure at the time an alert signature matched. I may be considering the wrong aspects of Suricata for the development piece - but this might help provide a well-rounded representation of the decision-making involved in a given alert firing.
--
Adam
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>] On Behalf Of Jason Ish
Sent: Thursday, November 17, 2016 11:45 AM
To: erik clark
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] eve.json logging issues
On Thu, Nov 17, 2016 at 12:30 PM, erik clark <philosnef at gmail.com<mailto:philosnef at gmail.com>> wrote:
> Thanks! That worked.
>
> Is there a way to get the actual content of the signature into the
> alert? So not just the payload, subject, flowdata and so forth, but
> the actual signature itself, so someone can look at it in the alert to
> see why it may have fired erroneously...
No, not currently. But you aren't the first one to ask so perhaps its something we should think about doing.
Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<http://westernalliancebancorp.sharefile.com><westernalliancebancorp.sharefile.com/<http://westernalliancebancorp.sharefile.com/>>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<http://westernalliancebancorp.sharefile.com><westernalliancebancorp.sharefile.com/<http://westernalliancebancorp.sharefile.com/>>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<http://westernalliancebancorp.sharefile.com><westernalliancebancorp.sharefile.com/<http://westernalliancebancorp.sharefile.com/>>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<westernalliancebancorp.sharefile.com/>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<westernalliancebancorp.sharefile.com/>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161122/276ea580/attachment-0002.html>
More information about the Oisf-users
mailing list