spender-sandbox / cuckoo-modified

Modified edition of cuckoo
395 stars 178 forks source link

failed to read eve.json file as a json #504

Closed MalikAsadAwan closed 5 years ago

MalikAsadAwan commented 6 years ago

I am trying to read eve.json file and return to my client but there is error because eve.json is not in standard json format structure. Please help me how to read this file.

doomedraven commented 6 years ago

version of suricata?

MalikAsadAwan commented 6 years ago

4.0.4

doomedraven commented 6 years ago

can you post error from log? i have the same version and works just fine

MalikAsadAwan commented 6 years ago

Unexpected token { in JSON at position 1876 at JSON.parse ()

MalikAsadAwan commented 6 years ago

Also in my logs there is no usefull information like src_ip , src_port. see my logs are like this

{"timestamp":"2018-04-16T17:02:00.000396+0500","event_type":"stats","stats":{"uptime":8,"capture":{"kernel_packets":0,"kernel_drops":0},"decoder":{"pkts":0,"bytes":0,"invalid":0,"ipv4":0,"ipv6":0,"ethernet":0,"raw":0,"null":0,"sll":0,"tcp":0,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":0,"max_pkt_size":0,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":0,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7074304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2293760,"reassembly_memuse":327680},"detect":{"alert":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"file_store":{"open_files":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}

doomedraven commented 6 years ago

no no, i mean cuckoo processing log as it starts suricata, but that is weird, is this happens with all or only one?

MalikAsadAwan commented 6 years ago

Please share with me usefull link hoe to install suricata i think error is in installing suricata

doomedraven commented 6 years ago

i suggest you do this if you want to speedup suricata a bit more

# Speedup suricata >= 3.1
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
# https://github.com/01org/hyperscan
cd /tmp
git clone https://github.com/01org/hyperscan.git
cd hyperscan/
mkdir builded
cd builded
sudo apt-get install cmake libboost-dev ragel libhtp2
# doxygen sphinx-common libpcap-dev
cmake -DBUILD_STATIC_AND_SHARED=1 ../
# tests
#bin/unit-hyperscan
make
sudo make install

# if we wan suricata with hyperscan:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev libjansson-dev libjansson4 pkg-config
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
sudo ldconfig

# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
cd /tmp
VER=4.0.4
wget "https://www.openinfosecfoundation.org/download/suricata-$VER.tar.gz"
tar -xvzf "suricata-$VER.tar.gz"
cd "suricata-$VER"
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
make
sudo make install-full
suricata --build-info|grep Hyperscan

"""
You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0

While rules are installed now, its highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
"""
touch /etc/suricata/threshold.config