SELKS-Suri Tips and Tricks - E17: JQ command cheat sheet for parsing Suricata NSM data

[Mark Durrett]

Hi folks,

Here is your weekly Suricata and SELKS tips and tricks email. Each week we'll feature a blog article or PDF document with something we hope you'll find useful.

Looking to understand how to select, filter and get rapid results from Suricata using JQ - the JSON command-line processing tool - by parsing standard Suricata

eve.json logs. 

Stamus Networks created a cheat sheet with tips and tricks for doing just that. 

The commands covered in this cheat sheet are focused on the NSM data and protocol logs such as SMB, Anomaly, HTTP, DNS, TLS, Flow and others. 

View and download the PDF here: https://www.stamus-networks.com/hubfs/Library/Documents%20(PDFs)/StamusNetworks-CS-JQNSM-102021-1.pdf 

Let us know what you think.

Cheers!

Mark

D. Mark Durrett Chief Marketing Officer Stamus Networks mdur...@stamus-networks.com +1 (919) 345-9515 stamus-networks.com

The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

[suri cata]

Hi,

Statistics using termgraph.

jq -c 'select(.alert.signature!=null)|[(((.timestamp|split(".")[0:1]|tostring)|split("T")[1:]|tostring)|split(":")[0:2]),.alert.signature]' eve.json| tr -d '[]\\"' | sed 's/,/:/' | awk '{a[$0]++;}END{for (i in a)print i, a[i]}' FS=, OFS=,|sed 's/,/ /'|sort -nrk2 -t,|head -n50|termgraph --title "Estadísticas Alertas x  horas" | colout '^..:..' green | colout "Estad.*" orange reverse | colout '\▇' blue