Need to pull all IPs for an IDS signature

[SomeInfosecGuy]

Before you post your issue make sure it has not been answered yet and provide basic support information if you come to the conclusion it is a new issue.

• 🔍 Use the search function first
• 🧐 Check our WIKI
• 📚 Consult the documentation of 💻 Debian, 🐳 Docker, the 🦌 ELK stack and the 🍯 T-Pot Readme.
• ⚠️ Provide basic support information or similiar information with regard to your issue or we can not help you and will close the issue without further notice

⚠️ Basic support information (commands are expected to run as root)

• What version of the OS are you currently using lsb_release -a and uname -a?
• What T-Pot version are you currently using? 20.06
• What edition (Standard, Nextgen, etc.) of T-Pot are you running? Standard
• What architecture are you running on (i.e. hardware, cloud, VM, etc.)? Baremetal
• Did you have any problems during the install? If yes, please attach /install.log /install.err. No
• How long has your installation been running? Over a week
• Did you install upgrades, packages or use the update script? No
• Did you modify any scripts or configs? If yes, please attach the changes. No
• Please provide a screenshot of glances and htop.
• How much free disk space is available (df -h)? 1.6TB
• What is the current container status (dps.sh)? Active
• What is the status of the T-Pot service (systemctl status tpot)? Running
• What ports are being occupied? Stop T-Pot systemctl stop tpot and run netstat -tulpen
• If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

Filtering by IP gives me a lot of information, but when I filter by alert keyword the information is in the Suricata logs only. I need to pull all IP address for specific IDS signatures. Is there an easy way to accomplish this?

[t3chn0m4g3]

No, the info is only collected with Suricata and limited to its type within ES. In the /opt/tpot/bin folder is an example to get the top IPs, you can use as base for what you want to do. However, in most cases if Suricata did not match an event againt a known CVE it's probably a non-match.