Suricata的输出

 

 

　　不多说，直接上干货！

 

 　　见官网

https://suricata.readthedocs.io/en/latest/output/index.html

 

 

 

　　总的来说，Suricata采集下来的数据输出分为：EVE 、 Lua Output  、 Syslog Alerting Compatibility  、 Custom http logging  、  Custom tls logging  和   Log Rotation 

 

 

• Docs »
 
• 12. Output
•  Edit on GitHub

---

• 12.1. EVE
  • 12.1.1. Eve JSON Output
    • 12.1.1.1. Output types
    • 12.1.1.2. Alerts
    • 12.1.1.3. DNS
    • 12.1.1.4. TLS
    • 12.1.1.5. Date modifiers in filename
    • 12.1.1.6. Rotate log file
    • 12.1.1.7. Multiple Logger Instances
    • 12.1.1.8. File permissions
    • 12.1.1.9. JSON flags
  • 12.1.2. Eve JSON Format
    • 12.1.2.1. Common Section
      • 12.1.2.1.1. Event types
    • 12.1.2.2. Event type: Alert
      • 12.1.2.2.1. Field action
    • 12.1.2.3. Event type: HTTP
      • 12.1.2.3.1. Fields
      • 12.1.2.3.2. Examples
    • 12.1.2.4. Event type: DNS
      • 12.1.2.4.1. Fields
      • 12.1.2.4.2. Examples
    • 12.1.2.5. Event type: TLS
      • 12.1.2.5.1. Fields
      • 12.1.2.5.2. Examples
  • 12.1.3. Eve JSON ‘jq’ Examples
    • 12.1.3.1. Colorize output
    • 12.1.3.2. DNS NXDOMAIN
    • 12.1.3.3. Unique HTTP User Agents
    • 12.1.3.4. Data use for a host
    • 12.1.3.5. Monitor part of the stats
    • 12.1.3.6. Inspect Alert Data
    • 12.1.3.7. Top 10 Destination Ports
• 12.2. Lua Output
  • 12.2.1. Script structure
  • 12.2.2. YAML
  • 12.2.3. packet
    • 12.2.3.1. SCPacketTimestamp
    • 12.2.3.2. SCPacketTimeString
    • 12.2.3.3. SCPacketTuple
    • 12.2.3.4. SCPacketPayload
  • 12.2.4. flow
    • 12.2.4.1. SCFlowTimestamps
    • 12.2.4.2. SCFlowTimeString
    • 12.2.4.3. SCFlowTuple
    • 12.2.4.4. SCFlowAppLayerProto
    • 12.2.4.5. SCFlowHasAlerts
    • 12.2.4.6. SCFlowStats
    • 12.2.4.7. SCFlowId
  • 12.2.5. http
    • 12.2.5.1. HttpGetRequestBody and HttpGetResponseBody.
    • 12.2.5.2. HttpGetRequestHost
    • 12.2.5.3. HttpGetRequestHeader
    • 12.2.5.4. HttpGetResponseHeader
    • 12.2.5.5. HttpGetRequestLine
    • 12.2.5.6. HttpGetResponseLine
    • 12.2.5.7. HttpGetRawRequestHeaders
    • 12.2.5.8. HttpGetRawResponseHeaders
    • 12.2.5.9. HttpGetRequestUriRaw
    • 12.2.5.10. HttpGetRequestUriNormalized
    • 12.2.5.11. HttpGetRequestHeaders
    • 12.2.5.12. HttpGetResponseHeaders
  • 12.2.6. DNS
    • 12.2.6.1. DnsGetQueries
    • 12.2.6.2. DnsGetAnswers
    • 12.2.6.3. DnsGetAuthorities
    • 12.2.6.4. DnsGetRcode
    • 12.2.6.5. DnsGetRecursionDesired
  • 12.2.7. TLS
    • 12.2.7.1. TlsGetCertInfo
    • 12.2.7.2. TlsGetCertSerial
  • 12.2.8. SSH
    • 12.2.8.1. SshGetServerProtoVersion
    • 12.2.8.2. SshGetServerSoftwareVersion
    • 12.2.8.3. SshGetClientProtoVersion
    • 12.2.8.4. SshGetClientSoftwareVersion
  • 12.2.9. Files
    • 12.2.9.1. SCFileInfo
    • 12.2.9.2. SCFileState
  • 12.2.10. Alerts
    • 12.2.10.1. SCRuleIds
    • 12.2.10.2. SCRuleMsg
    • 12.2.10.3. SCRuleClass
  • 12.2.11. Streaming Data
    • 12.2.11.1. SCStreamingBuffer
  • 12.2.12. Misc
    • 12.2.12.1. SCThreadInfo
    • 12.2.12.2. SCLogError, SCLogWarning, SCLogNotice, SCLogInfo, SCLogDebug
    • 12.2.12.3. SCLogPath
• 12.3. Syslog Alerting Compatibility
  • 12.3.1. Popular syslog daemons
  • 12.3.2. Finding what syslog daemon you are using
  • 12.3.3. Example
• 12.4. Custom http logging
• 12.5. Custom tls logging
• 12.6. Log Rotation