You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@metron.apache.org by Carolyn Duby <cd...@hortonworks.com> on 2017/09/25 13:49:37 UTC

Suricata parser

Is anyone working on a Suricata parser?  

https://suricata-ids.org/


I was not able to find an enhancement request for it.

Thanks
Carolyn

Re: Suricata parser

Posted by Simon Elliston Ball <si...@simonellistonball.com>.

Suricata will quite happily produce json (http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html <http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html>) , which works nicely in the the JSONMapParser. You can then use simple field transformations from that map. That said I have seen a few people working on suricata specific parsers to make this even easier. 

Simon

> On 17 Oct 2017, at 11:27, Zeolla@GMail.com <ze...@gmail.com> wrote:
> 
> I would love to see one, and if it doesn't exist in the next few weeks I'm
> going to take a stab at it.
> 
> Jon
> 
> On Mon, Sep 25, 2017, 09:49 Carolyn Duby <cd...@hortonworks.com> wrote:
> 
>> 
>> Is anyone working on a Suricata parser?
>> 
>> https://suricata-ids.org/
>> 
>> 
>> I was not able to find an enhancement request for it.
>> 
>> Thanks
>> Carolyn
>> 
> -- 
> 
> Jon

Re: Suricata parser

Posted by "Zeolla@GMail.com" <ze...@gmail.com>.

I would love to see one, and if it doesn't exist in the next few weeks I'm
going to take a stab at it.

Jon

On Mon, Sep 25, 2017, 09:49 Carolyn Duby <cd...@hortonworks.com> wrote:

>
> Is anyone working on a Suricata parser?
>
> https://suricata-ids.org/
>
>
> I was not able to find an enhancement request for it.
>
> Thanks
> Carolyn
>
-- 

Jon