Closed ReachInfinity closed 7 years ago
Is the log in eve.json as well (it should be i think) The other point would be - do you have any alert events in Scirius or just not this one?
Yes I have the log in /var/log/suricata/eve.json :
{"timestamp":"2017-06-19T17:10:33.000225+0200","flow_id":1179346093358560,"event_type":"fileinfo","src_ip":"74.125.206.94","src_port":80,"dest_ip":"10.0.2.15","dest_port":41058,"proto":"TCP","http":{"hostname":"www.google.fr","url":"\/","http_user_agent":"BlackSun","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3919},"app_proto":"http","fileinfo":{"filename":"\/","state":"CLOSED","stored":false,"size":3919,"tx_id":0}}
And I have alert events in Scirius who are :
[20/Jun/2017 07:34:06] "GET /rules/es?query=alerts_count&from_date=1497857616107&prev=1&hosts=* HTTP/1.1" 200 37
I found problem, I did not specify the entry of the file eve.json for logstash.
Hello, sorry for my english but I am French. I have a problem with the display of suricata data in Scirius. The status of suricata is green.
I did the following test:
curl -A "BlackSun" www.google.com
To match this rule (/etc/suricata/rules/scirius.rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"User-Agent|3a| BlackSun"; nocase; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:6;)
In the log /var/log/suricata/fast.log :
06/19/2017-01:32:12.275324 [] [1:2008983:6] ET USER_AGENTS Suspicious User Agent (BlackSun) [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:49779 -> 74.125.28.99:80
But no data display in scirius.
Help please.