Last active
April 24, 2024 01:15
-
-
Save jstrosch/317a03ad5cd9772685eb4f2020f4611e to your computer and use it in GitHub Desktop.
Revisions
-
jstrosch revised this gist
Feb 7, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,7 +13,7 @@ if [ ! -d "$LOG_LOCATION" ]; then mkdir "$LOG_LOCATION" else echo "Log location exists, removing previous content..." rm -rf "$LOG_LOCATION/"* fi # Run Suricata in offline mode (i.e. PCAP processing) -
Jan 30, 2023 . 1 changed file with 15 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,24 +1,27 @@ #!/usr/bin/env bash PCAPFILE=$1 LOG_LOCATION='/tmp/suricata/' if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file." exit 1; fi if [ ! -d "$LOG_LOCATION" ]; then echo "Attempting to create Suricata log directory..." mkdir "$LOG_LOCATION" else echo "Log location exists, removing previous content..." rm -rf "$LOG_LOCATION/*" fi # Run Suricata in offline mode (i.e. PCAP processing) suricata -c /etc/suricata/suricata.yaml -k none -r $1 --runmode=autofp -l "$LOG_LOCATION" #print out alerts echo -e "\nAlerts:\n" grep '"event_type":"alert"' "$LOG_LOCATION/eve.json" |jq '"\(.timestamp) | \(.alert.gid):\(.alert.signature_id):\(.alert.rev) | \(.alert.signature) | \(.alert.category) | \(.src_ip):\(.src_port) -> \(.dest_ip):\(.dest_port)"' # If you have Evebox installed, you can comment out this line to launch it in oneshot mode evebox oneshot "$LOG_LOCATION/eve.json" -
Apr 20, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,7 +16,7 @@ mkdir -p $LOG_PATH rm -rf $LOG_PATH/* ## process pcap suricata -c /etc/suricata/suricata.yaml -k none -r $1 -l $LOG_PATH -s "/home/ubuntu/custom.rules" #print out alerts echo -e "\n[*] Alerts:\n" -
Apr 20, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ #!/usr/bin/env bash SESSION_USER=$(logname) LOG_PATH=/tmp/suricata/ PCAPFILE=$1 if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file." exit 1; fi # make sure log path exists mkdir -p $LOG_PATH # clean up suri logs rm -rf $LOG_PATH/* ## process pcap suricata -c /etc/suricata/suricata.yaml -k none -r $1 -l $LOG_PATH -s "/home/suricata/training/custom.rules" #print out alerts echo -e "\n[*] Alerts:\n" grep '"event_type":"alert"' /tmp/suricata/eve.json |jq '"\(.timestamp) | \(.alert.gid):\(.alert.signature_id):\(.alert.rev) | \(.alert.signature) | \(.alert.category) | \(.src_ip):\(.src_port) -> \(.dest_ip):\(.dest_port)"' echo -e "\n[*] Temporary logs can be found at $LOG_PATH"