Ivlyth · July 1, 2019 07:20
diff --git a/suricata-eve-log-analysis.py b/suricata-eve-log-analysis.py
 # -*- coding:utf8 -*-
 """
 Author : Myth
 Date   : 2019/7/1
 Email  : email4myth at gmail.com
 """

 from __future__ import unicode_literals

 import csv
 import json
 import os


 def main():
    eve_json_dir = '/data/.prsdata/cncert/part1'

    eve_json_files = os.listdir(eve_json_dir)

    eve_logs = {}

    for eve_json in eve_json_files:
        eve_json = os.path.abspath(os.path.join(eve_json_dir, eve_json))
        line_no = 0
        for line in open(eve_json, 'rb'):
            line_no += 1
            try:
                eve_data = json.loads(line)
            except ValueError:
                print 'Eve JSON file: %s#%s, invalid format' % (eve_json, line_no)
                continue
            event_type = eve_data.get('event_type')
            if event_type != 'alert':
                continue

            src_ip = eve_data['src_ip']
            dest_ip = eve_data['dest_ip']

            if '223.113' not in src_ip or '223.113' not in dest_ip:
                continue

            alert = eve_data['alert']

            signature_id = alert['signature_id']
            signature = alert['signature']
            category = alert['category']
            severity = alert['severity']

            if signature_id not in eve_logs:
                eve_logs[signature_id] = {
                    'signature_id': signature_id,
                    'signature': signature,
                    'category': category,
                    'severity': severity,
                    'count': 1
                }
            else:
                eve_logs[signature_id]['count'] += 1

    sorted_eve_logs = sorted(eve_logs.values(), key=lambda eve_log: '%3d_%7d' % (eve_log['severity'], eve_log['count']), reverse=True)

    with open('beijing-cncert-part1.csv', 'w') as f:
        csv_writer = csv.DictWriter(f, fieldnames=['category', 'signature_id', 'signature', 'severity', 'count'])
        for eve_log in sorted_eve_logs:
            csv_writer.writerow(eve_log)


 if __name__ == '__main__':
    main()
	# -- coding:utf8 --
	"""
	Author : Myth
	Date : 2019/7/1
	Email : email4myth at gmail.com
	"""

	from __future__ import unicode_literals

	import csv
	import json
	import os


	def main():
	eve_json_dir = '/data/.prsdata/cncert/part1'

	eve_json_files = os.listdir(eve_json_dir)

	eve_logs = {}

	for eve_json in eve_json_files:
	eve_json = os.path.abspath(os.path.join(eve_json_dir, eve_json))
	line_no = 0
	for line in open(eve_json, 'rb'):
	line_no += 1
	try:
	eve_data = json.loads(line)
	except ValueError:
	print 'Eve JSON file: %s#%s, invalid format' % (eve_json, line_no)
	continue
	event_type = eve_data.get('event_type')
	if event_type != 'alert':
	continue

	src_ip = eve_data['src_ip']
	dest_ip = eve_data['dest_ip']

	if '223.113' not in src_ip or '223.113' not in dest_ip:
	continue

	alert = eve_data['alert']

	signature_id = alert['signature_id']
	signature = alert['signature']
	category = alert['category']
	severity = alert['severity']

	if signature_id not in eve_logs:
	eve_logs[signature_id] = {
	'signature_id': signature_id,
	'signature': signature,
	'category': category,
	'severity': severity,
	'count': 1
	}
	else:
	eve_logs[signature_id]['count'] += 1

	sorted_eve_logs = sorted(eve_logs.values(), key=lambda eve_log: '%3d_%7d' % (eve_log['severity'], eve_log['count']), reverse=True)

	with open('beijing-cncert-part1.csv', 'w') as f:
	csv_writer = csv.DictWriter(f, fieldnames=['category', 'signature_id', 'signature', 'severity', 'count'])
	for eve_log in sorted_eve_logs:
	csv_writer.writerow(eve_log)


	if __name__ == '__main__':
	main()