[Oisf-users] Additional data in eve.json

Champ Clark III cclark at quadrantsec.com
Tue Aug 4 16:18:47 UTC 2020


Hello Ramona, 

It's interesting you posted this. I am looking at enriching Suricata EVE data with Meer. We current add DNS information to alerts/EVE if the Meer "DNS" option is enabled. I don't think DNS lookups are something that should happen in Suricata, hence using Meer for those types of JSON enrichments. For more information see [ https://github.com/beave/meer | https://github.com/beave/meer ] 



From: "Ramona Tăme" <ramona.tame at gmail.com> 
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org> 
Sent: Tuesday, May 26, 2020 9:06:36 AM 
Subject: Re: [Oisf-users] Additional data in eve.json 

It seems I made lots of mistakes. 
I am trying to add more details for triggered alerts listed within eve.json. I am interested for each alert to get the DNS resolved, to get the URL, the certificate and potentially other data. I have enabled extended data within the surricata.yaml config but I still don't get these details I was hoping to get. Does anybody have any suggestions how to do this? If I need to use Lua and generate another output file, does anyone have an example on how to get these details by using Lua? 

Thank you 

On Tue, 26 May 2020 at 10:44, Ramona Tăme < [ mailto:ramona.tame at gmail.com | ramona.tame at gmail.com ] > wrote: 



Hi, 

I am trying to add more that for triggered alerts within eve.json such as DNS lookups, URL, certificates and so on. Would you please let me know how to do it and if need to use a Lua script send it to me if you have any? I enabled extended data within the config and I get more data but not these ones that I need. 

Thank you 




_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: https://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 

Forum: https://forum.suricata.io 
Trainings: https://suricata-ids.org/training/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200804/c376c745/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2132 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200804/c376c745/attachment.bin>


More information about the Oisf-users mailing list