Open aungdin opened 6 years ago
Hi, I do the normalization using the OSSIM Alien Vault log and a shell script with the swatch tool to put the log in the format of the attack map.
Can you please elaborate the process @diegodblr
Ok, the all process is:
1 - enable fast log in /etc/suricata/suricata.yaml. 2- configure a shell script to read the fast log and write the log formatted to DataServer.py. The shell script result is: echo "$IP,$IP2,$PORT1,$PORT2,$TYPE,$CVE" > /var/log/suricata.log
You can use the software SWATCH to read the fast log. This is the mask to read the fast log with SWATCH: watchfor /\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/
Em seg, 12 de ago de 2019 às 08:22, suhiherazeN1N notifications@github.com escreveu:
Can you please elaborate the process @diegodblr https://github.com/diegodblr
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MatthewClarkMay/geoip-attack-map/issues/25?email_source=notifications&email_token=AFIJCLQLYLBMAL72SUEZL2TQEFBVVA5CNFSM4EXLLX22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4CHM4Q#issuecomment-520386162, or mute the thread https://github.com/notifications/unsubscribe-auth/AFIJCLXGUFVANIGDYF4U2YLQEFBVVANCNFSM4EXLLX2Q .
Thanks !
But what to do to parse the Cowrie and glastopf honeypot log into the map? Please help I am very much new to this area. @diegodblr
Sorry, but I don't know these softwares. Here I work with IDS Suricata.
Ok. Then can you please elaborate the OSSIM Alien Vault process of Log Normalization? @diegodblr
Ok, the all process is:
1 - enable fast log in /etc/suricata/suricata.yaml. 2- configure a shell script to read the fast log and write the log formatted to DataServer.py. The shell script result is: echo "$IP,$IP2,$PORT1,$PORT2,$TYPE,$CVE" > /var/log/suricata.log
You can use the software SWATCH to read the fast log. This is the mask to read the fast log with SWATCH: watchfor /\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/
How to log normalization ?