failed to read eve.json file as a json

[MalikAsadAwan]

I am trying to read eve.json file and return to my client but there is error because eve.json is not in standard json format structure. Please help me how to read this file.

[doomedraven]

version of suricata?

[MalikAsadAwan]

4.0.4

[doomedraven]

can you post error from log? i have the same version and works just fine

[MalikAsadAwan]

Unexpected token { in JSON at position 1876 at JSON.parse ()

[MalikAsadAwan]

Also in my logs there is no usefull information like src_ip , src_port. see my logs are like this

{"timestamp":"2018-04-16T17:02:00.000396+0500","event_type":"stats","stats":{"uptime":8,"capture":{"kernel_packets":0,"kernel_drops":0},"decoder":{"pkts":0,"bytes":0,"invalid":0,"ipv4":0,"ipv6":0,"ethernet":0,"raw":0,"null":0,"sll":0,"tcp":0,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":0,"max_pkt_size":0,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":0,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7074304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2293760,"reassembly_memuse":327680},"detect":{"alert":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"file_store":{"open_files":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}

[doomedraven]

no no, i mean cuckoo processing log as it starts suricata, but that is weird, is this happens with all or only one?

[MalikAsadAwan]

Please share with me usefull link hoe to install suricata i think error is in installing suricata

[doomedraven]

i suggest you do this if you want to speedup suricata a bit more

# Speedup suricata >= 3.1
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
# https://github.com/01org/hyperscan
cd /tmp
git clone https://github.com/01org/hyperscan.git
cd hyperscan/
mkdir builded
cd builded
sudo apt-get install cmake libboost-dev ragel libhtp2
# doxygen sphinx-common libpcap-dev
cmake -DBUILD_STATIC_AND_SHARED=1 ../
# tests
#bin/unit-hyperscan
make
sudo make install

# if we wan suricata with hyperscan:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev libjansson-dev libjansson4 pkg-config
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
sudo ldconfig

# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
cd /tmp
VER=4.0.4
wget "https://www.openinfosecfoundation.org/download/suricata-$VER.tar.gz"
tar -xvzf "suricata-$VER.tar.gz"
cd "suricata-$VER"
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
make
sudo make install-full
suricata --build-info|grep Hyperscan

"""
You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0

While rules are installed now, its highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
"""
touch /etc/suricata/threshold.config