hillar · February 2, 2017 13:54
diff --git a/parseSuricataInSyslogBotAndSendToXMPP.py b/parseSuricataInSyslogBotAndSendToXMPP.py
 """
 /etc/suricata/suricata.yaml
 ...

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: syslog 
      filename: eve.json
      prefix: "@cee: " 
      # the following are valid when type: syslog above
      identity: "suricata"
      facility: local5
      level: Info

 ...
 ------

 # tail -f /var/log/syslog | grep signature    
 2017-02-02T13:41:23.948224+00:00 suricata.yellow.ex suricata[5123]: @cee: {"timestamp":"2017-02-02T13:41:23.948080+0000","flow_id":583985478663394,"in_iface":"eth2","event_type":"alert","vlan":3603,"src_ip":"2a07:1181:0130:3603:0000:0000:0000:0004","src_port":42188,"dest_ip":"2a07:1181:0130:3607:0000:0000:0000:0002","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001219,"rev":20,"signature":"ET SCAN Potential SSH Scan","category":"Attempted Information Leak","severity":2}}
 """

 from abusehelper.core import bot, events
 from abusehelper.bots.tailbot.tailbot import TailBot
 import json

 class SuricataInSyslogBot(TailBot):
    path = bot.Param("syslog file path")

    def parse(self, line, _):
        line = line.strip()
        if not line:
            return
        pos = line.find("]: @cee: {")
    	try:
            j = json.loads(line[pos+9:])
    	except ValueError:
    		return
    	if j['event_type'] == "alert":
            facts = dict()
            facts['timestamp'] = j['timestamp']
            facts['vlan'] = j['vlan']
            facts['src_ip'] = j['src_ip']
            facts['dest_ip'] = j['dest_ip']
            facts['alert'] = j['alert']['signature']
    	      return events.Event(facts)
      return

 if __name__ == "__main__":
    SuricataInSyslogBot.from_command_line().execute()
	"""
	/etc/suricata/suricata.yaml
	...

	# Extensible Event Format (nicknamed EVE) event log in JSON format
	- eve-log:
	enabled: yes
	filetype: syslog
	filename: eve.json
	prefix: "@cee: "
	# the following are valid when type: syslog above
	identity: "suricata"
	facility: local5
	level: Info

	...
	------

	# tail -f /var/log/syslog \| grep signature
	2017-02-02T13:41:23.948224+00:00 suricata.yellow.ex suricata[5123]: @cee: {"timestamp":"2017-02-02T13:41:23.948080+0000","flow_id":583985478663394,"in_iface":"eth2","event_type":"alert","vlan":3603,"src_ip":"2a07:1181:0130:3603:0000:0000:0000:0004","src_port":42188,"dest_ip":"2a07:1181:0130:3607:0000:0000:0000:0002","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001219,"rev":20,"signature":"ET SCAN Potential SSH Scan","category":"Attempted Information Leak","severity":2}}
	"""

	from abusehelper.core import bot, events
	from abusehelper.bots.tailbot.tailbot import TailBot
	import json

	class SuricataInSyslogBot(TailBot):
	path = bot.Param("syslog file path")

	def parse(self, line, _):
	line = line.strip()
	if not line:
	return
	pos = line.find("]: @cee: {")
	try:
	j = json.loads(line[pos+9:])
	except ValueError:
	return
	if j['event_type'] == "alert":
	facts = dict()
	facts['timestamp'] = j['timestamp']
	facts['vlan'] = j['vlan']
	facts['src_ip'] = j['src_ip']
	facts['dest_ip'] = j['dest_ip']
	facts['alert'] = j['alert']['signature']
	return events.Event(facts)
	return

	if __name__ == "__main__":
	SuricataInSyslogBot.from_command_line().execute()