[Oisf-users] ryu and json dicts

Priyatham Ganta gantapritham4 at gmail.com
Thu Dec 5 10:33:14 UTC 2019 

Hi erik,

I have tried Suricata with ryu controller using pigrelay. The pigrelay sent
the alert  messages. But ryu controller failed to recognize the message as
ryu controller didn’t have the library to identity Suricata messages.
That’s the reason I wanted to convert Suricata to snort messages.

Thanks
Priyatham

On Thu, Dec 5, 2019 at 2:28 AM erik clark <philosnef at gmail.com> wrote:

> Please read through https://github.com/John-Lin/pigrelay. The snort
> integration is just following a snort socket; the same effect can be had by
> continuous integration of eve.json (trivial to process since, you know, its
> in json format...) and just processing inside of pigrelay. Handoff between
> pigrelay and ryu is even possible using partial extraction from eve alerts.
> Ya Unfortunately, I have no test environment to tinker with pigrelay and
> ryu, so t his is really about the only guidance I can offer. Someone else
> may have modified pigrelay, or have some insight into how it can be done.
> Doesn't look like it should be too difficult however, assuming you can hax
> python.
>
> Erik
>
> On Wed, Dec 4, 2019 at 11:31 PM Priyatham Ganta <gantapritham4 at gmail.com>
> wrote:
>
>> Hi Erik,
>>
>> Can you give more details on this parser and any url on how to use it.
>>
>> Thanks
>>
>>
>> On Tue, 3 Dec 2019 at 04:08, erik clark <philosnef at gmail.com> wrote:
>>
>>> Phone message, sorry for spam. If you are talking about ryu from
>>> openflow, looks it it already has a from_jsondict option. Nearly everything
>>> has a json parser nowadays
>>>
>>>
>>>
>>> On Tue, Dec 3, 2019, 7:00 AM <
>>> oisf-users-request at lists.openinfosecfoundation.org> wrote:
>>>
>>>> Send Oisf-users mailing list submissions to
>>>>         oisf-users at lists.openinfosecfoundation.org
>>>>
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>>
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> or, via email, send a message with subject or body 'help' to
>>>>         oisf-users-request at lists.openinfosecfoundation.org
>>>>
>>>> You can reach the person managing the list at
>>>>         oisf-users-owner at lists.openinfosecfoundation.org
>>>>
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of Oisf-users digest..."
>>>>
>>>>
>>>> Today's Topics:
>>>>
>>>>    1. Re: Question on eve.json file (Jason Ish)
>>>>    2. Suricata-Ryu integration (Priyatham Ganta)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Mon, 2 Dec 2019 12:53:19 -0600
>>>> From: Jason Ish <jason.ish at oisf.net>
>>>> To: oisf-users at lists.openinfosecfoundation.org
>>>> Subject: Re: [Oisf-users] Question on eve.json file
>>>> Message-ID: <01e689d1-5ffb-3e59-34b0-48a53c3c5a1a at oisf.net>
>>>> Content-Type: text/plain; charset=utf-8
>>>>
>>>> Hi Leonard,
>>>>
>>>> On 2019-12-01 10:38 p.m., Leonard Jacobs wrote:
>>>> > I have noticed that several log items are nested under alert.  In
>>>> > particular, signature and action are nested under alert.  Is there a
>>>> way
>>>> > to not have those log items nested under alert with eve.json file?
>>>>
>>>> No, there is a not way to do this with Suricata. Post-processing tools
>>>> like Logstash could likeley be configured to make the transformation
>>>> though.
>>>>
>>>> Eve is a generic format with mostly generic event parameters at the top
>>>> level. Anything event_type specific is placed under the object for that
>>>> event_type.
>>>>
>>>> Jason
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 2
>>>> Date: Mon, 2 Dec 2019 15:47:22 -0800
>>>> From: Priyatham Ganta <gantapritham4 at gmail.com>
>>>> To: oisf-users at lists.openinfosecfoundation.org
>>>> Subject: [Oisf-users] Suricata-Ryu integration
>>>> Message-ID:
>>>>         <CABXPuZ93NVx8sd3=
>>>> yktw2wgH--973G60COXztvqPFL_g7T233g at mail.gmail.com>
>>>> Content-Type: text/plain; charset="utf-8"
>>>>
>>>> Hi,
>>>>
>>>> I want to integrate Suricata with the Ryu controller and I checked that
>>>> there is no built-in library for Suricata in the Ryu controller.
>>>>
>>>> I was thinking if I can convert Suricata messages to snort messages and
>>>> use
>>>> the same library or I want to know if there is any other way I can
>>>> integrate Suricata with the Ryu controller to parse the alerts
>>>> generated by
>>>> Suricata.
>>>>
>>>> Thanks
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL: <
>>>> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191202/a9362e96/attachment-0001.html
>>>> >
>>>>
>>>> ------------------------------
>>>>
>>>> Subject: Digest Footer
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at lists.openinfosecfoundation.org
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> End of Oisf-users Digest, Vol 121, Issue 2
>>>> ******************************************
>>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191205/e6558cdf/attachment.html>

More information about the Oisf-users mailing list