[Oisf-users] Additional data in eve.json
Champ Clark III
cclark at quadrantsec.com
Tue Aug 4 16:18:47 UTC 2020
Hello Ramona,
It's interesting you posted this. I am looking at enriching Suricata EVE data with Meer. We current add DNS information to alerts/EVE if the Meer "DNS" option is enabled. I don't think DNS lookups are something that should happen in Suricata, hence using Meer for those types of JSON enrichments. For more information see [ https://github.com/beave/meer | https://github.com/beave/meer ]
From: "Ramona Tăme" <ramona.tame at gmail.com>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Tuesday, May 26, 2020 9:06:36 AM
Subject: Re: [Oisf-users] Additional data in eve.json
It seems I made lots of mistakes.
I am trying to add more details for triggered alerts listed within eve.json. I am interested for each alert to get the DNS resolved, to get the URL, the certificate and potentially other data. I have enabled extended data within the surricata.yaml config but I still don't get these details I was hoping to get. Does anybody have any suggestions how to do this? If I need to use Lua and generate another output file, does anyone have an example on how to get these details by using Lua?
Thank you
On Tue, 26 May 2020 at 10:44, Ramona Tăme < [ mailto:ramona.tame at gmail.com | ramona.tame at gmail.com ] > wrote:
Hi,
I am trying to add more that for triggered alerts within eve.json such as DNS lookups, URL, certificates and so on. Would you please let me know how to do it and if need to use a Lua script send it to me if you have any? I enabled extended data within the config and I get more data but not these ones that I need.
Thank you
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: https://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Forum: https://forum.suricata.io
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200804/c376c745/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2132 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200804/c376c745/attachment.bin>
More information about the Oisf-users
mailing list