Giter Site home page Giter Site logo

suricata-scripts's Introduction

suricata-scripts

http_login_audit

  1. 针对网站登录接口进行事件解析,生成对应的login_audit事件。
  2. 针对登录网站的账户与密码进行威胁情报的判断,生成对应的tags: [account leak, password leak]。
  3. 通过判断challenge字段,检查是否为绕过验证码登录的行为;

http_audit

  1. 利用lua脚本实现HTTP Audit,主要是足够定制化;
  2. config.json, 支持黑白名单设置;
  3. template.json, 指定需要审计的内容;
  4. ADD Community ID; Sample:
{
    "alerted": false,
    "src_port": 48838,
    "session_id": "c5ca685bbb69032c7284e344ae3122e9",
    "proto": "TCP",
    "flow_id": "162347013217236",
    "timestamp": "2020-07-20T08:56:10.64623+0000",
    "event_type": "lua",
    "src_ip": "189.171.21.136",
    "dest_port": 8001,
    "http": {
        "proxy-ip": "192.168.1.1",
        "url_path": "/xxxxxxx",
        "protocol": "HTTP/1.1",
        "hostname": "canon88.github.io",
        "true-client-ip": "189.171.21.136",
        "status": 200,
        "method": "POST",
        "response": {
            "server": "nginx",
            "transfer-encoding": "chunked",
            "connection": "keep-alive",
            "cache-control": "no-cache, max-age=0, no-store",
            "pragma": "no-cache",
            "date": "Mon, 20 Jul 2020 08:56:10 GMT",
            "content-encoding": "gzip",
            "vary": "Accept-Encoding",
            "content-type": "application/json;charset=UTF-8"
        },
        "xff": "189.171.21.136, 209.95.131.159, 72.249.195.175",
        "url": "xxxxxxx",
        "x-real-ip": "72.249.195.175",
        "request": {
            "content-type": "application/x-www-form-urlencoded",
            "content-length": 74,
            "accept-encoding": "gzip",
            "pragma": "no-cache",
            "x-forwarded-proto": "https",
            "via": "1.1 v1-akamaitech.net(ghost) (AkamaiGHost), 1.1 akamai.net(ghost) (AkamaiGHost)",
            "body": "this is a request body",
            "cache-control": "no-cache, max-age=0",
            "accept": "application/json"
        },
        "user-agent": "xxxxxxxxxx"
    },
    "event_name": "http",
    "dest_ip": "10.161.11.140",
    "app_type": "web"
}

Suricata_ECS

Workflow: Suricata -> Filebeat -> Logstash -> Elastic

  1. 遵循官方的ECS格式,默认官方采用的是Filebeat -> Elastic。由于我这边利用Logstash进行统一的ETL,所以在原基础上进行了一些调整;
  2. 利用Ruby进行功能扩展;

suricata-scripts's People

Forkers

dk47os3r

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.