[File Extraction] - hash file in eve.json alert

4 views
Skip to first unread message

Scap

unread,
Jul 19, 2019, 4:22:04 AM7/19/19
to SELKS
Hi,

it's me again...

I am looking to the the hash sha256 of each alert where my file is stored.

i have the file-store section with sha256 and the files section with force-hash to with sha256.


where to have it. is have find a file-log section, but i really want it in the eve.json file.

I have miss something in the documentation?

Thank you in advance.

Sca

Peter Manev

unread,
Jul 19, 2019, 4:32:49 AM7/19/19
to Scap, SELKS
You should gave it im eve.json - you should have all sorts of hashes. 
Now - if there is the hash you are looking for it may be a diff story :)

Do you see any sha256 hashes at all ?


Thank you in advance.

Sca

--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/92bb9349-6ee9-4100-aaa6-5291222c8be2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Scap

unread,
Jul 19, 2019, 10:38:18 AM7/19/19
to SELKS
Ok now it's work, i have repair moloch but i guess this is a different problem.

Well it's works :)

Sca

Le vendredi 19 juillet 2019 10:32:49 UTC+2, pevma a écrit :

On 19 Jul 2019, at 09:22, Scap <scar...@gmail.com> wrote:

Hi,

it's me again...

I am looking to the the hash sha256 of each alert where my file is stored.

i have the file-store section with sha256 and the files section with force-hash to with sha256.


where to have it. is have find a file-log section, but i really want it in the eve.json file.

I have miss something in the documentation?


You should gave it im eve.json - you should have all sorts of hashes. 
Now - if there is the hash you are looking for it may be a diff story :)

Do you see any sha256 hashes at all ?


Thank you in advance.

Sca

--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.

Peter Manev

unread,
Jul 20, 2019, 7:28:57 PM7/20/19
to Scap, SELKS


On 19 Jul 2019, at 16:38, Scap <scar...@gmail.com> wrote:

Ok now it's work, i have repair moloch but i guess this is a different problem.


Why did you have to repair Moloch , what was the problem?


Well it's works :)

Glad it got figured out.

To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.

To post to this group, send email to se...@googlegroups.com.

Scarpafo Scarpafo

unread,
Jul 21, 2019, 12:29:19 AM7/21/19
to Peter Manev, SELKS
I think because of the lack of space he was change un read only something like it.
I have put on search engine the error in capture.log and i found i have to do a curl command to ES for upgrading the moloch index. And after that it was working.
Reply all
Reply to author
Forward
0 new messages