OSSIM to geoip-attack-map #25
Comments
|
Hi, I do the normalization using the OSSIM Alien Vault log and a shell script with the swatch tool to put the log in the format of the attack map. |
|
Can you please elaborate the process @diegodblr |
|
Ok, the all process is:
1 - enable fast log in /etc/suricata/suricata.yaml.
2- configure a shell script to read the fast log and write the log
formatted to DataServer.py. The shell script result is:
*echo "$IP,$IP2,$PORT1,$PORT2,$TYPE,$CVE" > /var/log/suricata.log*
You can use the software SWATCH to read the fast log. This is the mask to
read the fast log with SWATCH: *watchfor
/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/*
Em seg, 12 de ago de 2019 às 08:22, suhiherazeN1N <[email protected]>
escreveu:
… Can you please elaborate the process @diegodblr
<https://github.com/diegodblr>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#25?email_source=notifications&email_token=AFIJCLQLYLBMAL72SUEZL2TQEFBVVA5CNFSM4EXLLX22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4CHM4Q#issuecomment-520386162>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFIJCLXGUFVANIGDYF4U2YLQEFBVVANCNFSM4EXLLX2Q>
.
|
|
Thanks ! But what to do to parse the Cowrie and glastopf honeypot log into the map? Please help I am very much new to this area. @diegodblr |
|
Sorry, but I don't know these softwares. Here I work with IDS Suricata. |
|
Ok. Then can you please elaborate the OSSIM Alien Vault process of Log Normalization? @diegodblr |
|
Ok, the all process is: 1 - enable fast log in /etc/suricata/suricata.yaml. You can use the software SWATCH to read the fast log. This is the mask to |
How to log normalization ?
The text was updated successfully, but these errors were encountered: