Skip to content

Commit

Permalink
docs: Add an example suricata rule + output to the test pcaps
Browse files Browse the repository at this point in the history
  • Loading branch information
@RickdeJager
RickdeJager committed Nov 5, 2023
1 parent c812aee commit 9444915
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
20 changes: 20 additions & 0 deletions services/test_pcap/eve.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{"timestamp":"2018-06-27T13:25:32.863536+0200","flow_id":1452353730125398,"pcap_cnt":1187,"event_type":"alert","src_ip":"10.10.3.126","src_port":56368,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:32.859734+0200"}}
{"timestamp":"2018-06-27T13:25:32.730991+0200","flow_id":561420746626878,"pcap_cnt":1053,"event_type":"alert","src_ip":"10.10.3.126","src_port":56318,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":22,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":478,"bytes_toclient":4113,"start":"2018-06-27T13:25:32.726846+0200"}}
{"timestamp":"2018-06-27T13:25:32.765278+0200","flow_id":2139849145229106,"pcap_cnt":1101,"event_type":"alert","src_ip":"10.10.3.126","src_port":56338,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:32.761650+0200"}}
{"timestamp":"2018-06-27T13:25:32.775379+0200","flow_id":1977381269849496,"pcap_cnt":1113,"event_type":"alert","src_ip":"10.10.3.126","src_port":56340,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:32.771480+0200"}}
{"timestamp":"2018-06-27T13:25:32.813865+0200","flow_id":160099002505235,"pcap_cnt":1125,"event_type":"alert","src_ip":"10.10.3.126","src_port":56342,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:32.808979+0200"}}
{"timestamp":"2018-06-27T13:25:34.407695+0200","flow_id":313072852804389,"pcap_cnt":2381,"event_type":"alert","src_ip":"10.10.3.126","src_port":56664,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:34.402213+0200"}}
{"timestamp":"2018-06-27T13:25:34.529182+0200","flow_id":693682117149853,"pcap_cnt":2455,"event_type":"alert","src_ip":"10.10.3.126","src_port":56676,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:34.525469+0200"}}
{"timestamp":"2018-06-27T13:25:34.420240+0200","flow_id":1765894932814306,"pcap_cnt":2393,"event_type":"alert","src_ip":"10.10.3.126","src_port":56666,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:34.416226+0200"}}
{"timestamp":"2018-06-27T13:25:34.321335+0200","flow_id":216803308394774,"pcap_cnt":2320,"event_type":"alert","src_ip":"10.10.3.126","src_port":56654,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":22,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":478,"bytes_toclient":4113,"start":"2018-06-27T13:25:34.317718+0200"}}
{"timestamp":"2018-06-27T13:25:34.357527+0200","flow_id":1869972727817555,"pcap_cnt":2368,"event_type":"alert","src_ip":"10.10.3.126","src_port":56662,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:25:34.353619+0200"}}
{"timestamp":"2018-06-27T13:26:02.613070+0200","flow_id":1721216537347717,"pcap_cnt":5035,"event_type":"alert","src_ip":"10.10.3.126","src_port":56804,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":22,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":478,"bytes_toclient":4113,"start":"2018-06-27T13:26:02.607877+0200"}}
{"timestamp":"2018-06-27T13:26:02.659710+0200","flow_id":337854815928591,"pcap_cnt":5098,"event_type":"alert","src_ip":"10.10.3.126","src_port":56814,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:02.655631+0200"}}
{"timestamp":"2018-06-27T13:26:02.650619+0200","flow_id":1951265723178573,"pcap_cnt":5086,"event_type":"alert","src_ip":"10.10.3.126","src_port":56812,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:02.646733+0200"}}
{"timestamp":"2018-06-27T13:26:02.712247+0200","flow_id":1739294054727271,"pcap_cnt":5111,"event_type":"alert","src_ip":"10.10.3.126","src_port":56816,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:02.704103+0200"}}
{"timestamp":"2018-06-27T13:26:02.874624+0200","flow_id":153510524633646,"pcap_cnt":5218,"event_type":"alert","src_ip":"10.10.3.126","src_port":56826,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:02.868910+0200"}}
{"timestamp":"2018-06-27T13:26:04.365438+0200","flow_id":1461901444547464,"pcap_cnt":6479,"event_type":"alert","src_ip":"10.10.3.126","src_port":57010,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":22,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":478,"bytes_toclient":4113,"start":"2018-06-27T13:26:04.361352+0200"}}
{"timestamp":"2018-06-27T13:26:04.444369+0200","flow_id":1166678277536131,"pcap_cnt":6528,"event_type":"alert","src_ip":"10.10.3.126","src_port":57018,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:04.440707+0200"}}
{"timestamp":"2018-06-27T13:26:04.453926+0200","flow_id":747727840141177,"pcap_cnt":6540,"event_type":"alert","src_ip":"10.10.3.126","src_port":57020,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:04.450425+0200"}}
{"timestamp":"2018-06-27T13:26:04.619382+0200","flow_id":736902375039310,"pcap_cnt":6615,"event_type":"alert","src_ip":"10.10.3.126","src_port":57032,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:04.614734+0200"}}
{"timestamp":"2018-06-27T13:26:04.520356+0200","flow_id":1295628228156451,"pcap_cnt":6554,"event_type":"alert","src_ip":"10.10.3.126","src_port":57022,"dest_ip":"10.10.3.1","dest_port":5000,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1001200,"rev":1,"signature":"Example - single character password","category":"","severity":3},"http":{"hostname":"10.10.3.1","http_port":5000,"url":"/login","http_user_agent":"python-requests/2.19.1","http_content_type":"text/html","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":3684},"files":[{"filename":"/login","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":24,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":480,"bytes_toclient":4113,"start":"2018-06-27T13:26:04.515107+0200"}}
8 changes: 8 additions & 0 deletions services/test_pcap/example.rule
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Just as an example, this suricata rule tags every single-character password in the starchaser service
# that is included as a test pcap.

alert tcp any any -> any 5000 (msg: "Example - single character password"; flow:to_server; \
content:"POST"; http_method; content:"/login"; http_uri; \
content: "password"; http_client_body; pcre:"/password=[A-Za-z0-9]&/"; \
metadata: tag, enemy; \
sid:1001200; rev: 1;)

0 comments on commit 9444915

Please sign in to comment.