search

cisco / joy

A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring.
Other
1.3k stars 329 forks source link

Using sleuth to calculate distribution of each individual offered cipher suite type #283

Open davidgrewtr opened 4 years ago

davidgrewtr commented 4 years ago

I am using sleuth to calculate distribution of TLS offered cipher suites:-

./sleuth sample.gz --select "tls{cs}" --dist

This results in sleuth giving count of top combinations of cipher suites offered by the client e.g.,, 


{"tls": {"cs": ["cc14", "cc13,", "c02b"]}, "count": 150, "total": 180}
{"tls": {"cs": ["cc14", "c030,", "cca9"]}, "count": 20,  "total": 180}
.......

How can I use sleuth to calculate distribution of each individual "cs"? e.g.,:

`{"tls": {"cs": ["cc14,]}, "count": 170, "total": 180}`
`{"tls": {"cs": ["cc13,]}, "count": 150, "total": 180}`
`{"tls": {"cs": ["c02b,]}, "count": 150, "total": 180}
davidgrewtr commented 4 years ago

Anyone? I know it might not be an issue with sleuth itself but I do not know where else to ask this.

banderson84 commented 4 years ago

I am not sure if sleuth can do that. Here is a relatively simple jq/command line query:

jq 'select(.tls? != 1) | select(.tls.cs[]?) | .tls.cs[]' joy-output.json | sort | uniq -c | sort -nr