15.1.1. EVE JSON输出¶
EVE输出工具通过JSON输出警报、异常、元数据、文件信息和特定于协议的记录。
最常见的使用方法是通过“eve”,这是一种Firehose方法,所有这些日志都放在一个文件中。
outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended
# with an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush, channel|publish
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer
# Include top level metadata. Default yes.
#metadata: no
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # Requires metadata; enable dumping of http body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# Configure the metadata to be logged along with an
# alert. The following shows the default configuration
# which is used if this field is not provided or simply
# set to a truthful value. Setting of this section is only
# required if you wish to enable/disable specific fields.
#metadata:
# Include the decoded application layer (ie. http, dns)
app-layer: true
# Log the the current state of the flow record.
flow: true
rule:
# Log the metadata field from the rule in a structured
# format.
metadata: true
# Log the raw rule text.
raw: false
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
- dns:
# Use version 2 logging with the new format:
# dns answers will be logged in one single event
# rather than an event for each of the answers.
# Without setting a version the version
# will fallback to 1 for backwards compatibility.
version: 2
# Enable/disable this logger. Default: enabled.
#enabled: no
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#answer-format: [detailed, grouped]
# Answer types to log.
# Default: all
#answer-types: [a, aaaa, cname, mx, ns, ptr, txt]
- dns:
# Version 1 DNS logger.
# Deprecated: Will be removed by May 2022.
version: 1
enabled: no
# control logging of queries and answers
# default yes, no to disable
query: yes # enable logging of DNS queries
answer: yes # enable logging of DNS answers
# control which RR types are logged
# all enabled if custom not specified
#custom: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
#- drop:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
- smtp:
#extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]
# NFS logging. Requires Rust.
- nfs
# IKE logging. Requires Rust.
- ike
- ssh
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
- dhcp:
# DHCP logging requires Rust.
enabled: yes
# When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the
# default), just enough information to map a MAC address
# to an IP address is logged.
extended: no
# bi-directional flows
- flow
# uni-directional flows
#- netflow
# An event for logging metadata, specifically pktvars when
# they are set, but will also include the full metadata object.
#- metadata
每个警报、HTTP日志等都将进入这个文件:“eve.json”。然后,该文件可以由第三方工具(如logstash(elk)或jq)处理。
如果 ethernet 设置为“是”,则以太网标头将添加到事件(如果可用)。
15.1.1.1. 输出类型¶
EVE可以输出到多个方法。 regular 是普通文件。其他选项包括 syslog , unix_dgram , unix_stream 和 redis .
输出类型:
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended
# with an identifier, e.g., eve.9.json. Default: off
#threaded: off
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#ethernet: no # log ethernet header in events when available
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush, channel|publish
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer
15.1.1.2. 警报¶
警报是规则匹配的事件记录。可以使用元数据修改它们,例如为其生成警报的应用程序层记录(HTTP、DNS等)和规则元素。
元数据::
- alert:
#payload: yes # enable dumping payload in Base64
#payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
#payload-printable: yes # enable dumping payload in printable (lossy) format
#packet: yes # enable dumping of packet (without stream segments)
#http-body: yes # Requires metadata; enable dumping of http body in Base64
#http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
# metadata:
# Include the decoded application layer (ie. http, dns)
#app-layer: true
# Log the the current state of the flow record.
#flow: true
#rule:
# Log the metadata field from the rule in a structured
# format.
#metadata: true
# Log the raw rule text.
#raw: false
15.1.1.3. 异常¶
异常是在处理具有意外或异常值的数据包时创建的事件记录。这些事件包括不正确的协议值、不正确的协议长度值以及使数据包可疑的其他条件。其它情况也可能发生在河流的正常发展过程中;这些被称为 stream 事件包括具有错误值的控制序列或发生在预期顺序之外的控制序列。
异常按类型报告和配置:
译码
河流
应用层
元数据::
- anomaly:
# Anomaly log records describe unexpected conditions such as truncated packets,
# packets with invalid IP/UDP/TCP length values, and other events that render
# the packet invalid for further processing or describe unexpected behavior on
# an established stream. Networks which experience high occurrences of
# anomalies may experience packet processing degradation.
#
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while decoding individual
# packets. This includes invalid or unexpected values for low-level protocol
# lengths as well.
# 2. Stream: This includes stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 3. Application layer: These denote application layer specific conditions that
# are unexpected, invalid or are unexpected given the application monitoring
# state.
#
# By default, anomaly logging is disabled. When anomaly logging is enabled,
# application-layer anomaly reporting is enabled.
#
# Choose one or both types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
types:
#decode: no
#stream: no
#applayer: yes
#packethdr: no
15.1.1.4. HTTP¶
HTTP事务日志记录。
配置:
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
# set this value to one among {both, request, response} to dump all
# http headers for every http request and/or response
# dump-all-headers: [both, request, response]
自定义字段列表:
Yaml选项 |
HTTP头 |
|---|---|
接受 |
接受 |
accept_charset |
接受字符集 |
accept_encoding |
接受编码 |
accept_language |
接受语言 |
accept_datetime |
接受日期时间 |
授权 |
授权 |
cache_control |
缓存控制 |
曲奇饼干 |
曲奇饼干 |
从 |
从 |
max_forwards |
最大向前 |
起源 |
起源 |
语用 |
语用 |
proxy_authorization |
代理授权 |
范围 |
范围 |
技术工程师 |
技术工程师 |
通过 |
通过 |
x_requested_with |
X-请求-带 |
不适用 |
不适用 |
x_forwarded_proto |
x-转发-proto |
x_authenticated_user |
X认证用户 |
x_flash_version |
X-Flash版本 |
accept_range |
接受范围 |
年龄 |
年龄 |
允许 |
允许 |
连接 |
连接 |
content_encoding |
内容编码 |
content_language |
内容语言 |
content_length |
内容长度 |
content_location |
内容位置 |
content_md5 |
内容-MD5 |
content_range |
内容范围 |
content_type |
内容类型 |
日期 |
日期 |
电子标签 |
电子标签 |
到期 |
到期 |
last_modified |
上次修改时间 |
链接 |
链接 |
位置 |
位置 |
proxy_authenticate |
代理身份验证 |
推荐人 |
推荐人 |
刷新 |
刷新 |
retry_after |
之后重试 |
服务器 |
服务器 |
set_cookie |
设置cookie |
拖车 |
拖车 |
transfer_encoding |
传输编码 |
升级 |
升级 |
变化 |
变化 |
警告 |
警告 |
www_authenticate |
WWW认证 |
true_client_ip |
真正的客户端IP |
org_src_ip |
组织源IP |
x_bluecoat_via |
X-蓝色涂层-VIA |
在 custom 可以使用两列中的选项值。这个 HTTP Header 列不区分大小写。
15.1.1.5. DNS¶
注解
从Suricata 5.0开始,EVE DNS日志的版本2格式是默认格式。
作为请求的一个条目和一个响应条目被记录。
山药:
- dns:
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
#version: 2
# Enable/disable this logger. Default: enabled.
#enabled: yes
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]
# Types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
15.1.1.6. DNS v1格式¶
版本1 DNS输出已被上面的版本2输出废弃。v1格式在响应中为每个应答记录一条记录,这可能导致每个请求和响应的日志记录远远多于2条。
山药:
- dns:
# Must set the version to 1 to get the old style format.
version: 1
# control logging of queries and answers
# default yes, no to disable
query: yes # enable logging of DNS queries
answer: yes # enable logging of DNS answers
# control which RR types are logged
# all enabled if custom not specified
#custom: [a, aaaa, cname, mx, ns, ptr, txt]
为了减少冗长性,可以通过提供要在其中记录的记录类型来筛选输出。 custom .
15.1.1.7. TLS¶
每个会话记录一条TLS记录。
山药:
- tls:
extended: yes # enable this for extended logging information
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
默认是记录证书主题和颁发者。如果 extended 如果启用,则日志将变得更详细。
通过使用 custom 可以选择要记录的TLS字段。
15.1.1.8. 文件名中的日期修饰符¶
可以在EVE日志文件名中使用日期修饰符。
outputs:
- eve-log:
filename: eve-%s.json
上面的示例将epoch time添加到文件名中。应该支持C库中的所有日期修饰符。参见手册页 strftime 对于所有支持的修饰符。
15.1.1.9. 线程文件输出¶
默认情况下,所有输出都写入输出部分中的命名文件名。这个 threaded 选项使每个输出线程能够写入单独的文件。在本例中, filename 将包括唯一标识符。
使用 threaded 启用后,输出将在多个文件中拆分--每个文件的内容聚合必须一起处理。
outputs:
- eve-log:
filename: eve.json
threaded: on
此示例将导致每个Suricata线程写入其自己的“eve.json”文件。通过向文件名添加唯一标识符来构造文件名。例如, eve.7.json 。
15.1.1.10. 旋转日志文件¶
EVE日志可以配置为根据时间旋转。
outputs:
- eve-log:
filename: eve-%Y-%m-%d-%H:%M.json
rotate-interval: minute
上面的示例每分钟创建一个新的日志文件,其中文件名包含时间戳。其他支持 rotate-interval 价值观是 hour 和 day .
除此之外,还可以指定 rotate-interval 作为相对值。一个例子是每隔x秒旋转日志文件。
outputs:
- eve-log:
filename: eve-%Y-%m-%d-%H:%M:%S.json
rotate-interval: 30s
上面的示例每30秒旋转一次EVE日志。这个可以换成 30m 每30分钟旋转一次, 30h 每30小时旋转一次, 30d 每30天旋转一次,或 30w 每30周轮换一次。
15.1.1.11. 多个记录器实例¶
可以有多个“eve”实例,例如,以下是有效的:
outputs:
- eve-log:
enabled: yes
type: file
filename: eve-ips.json
types:
- alert
- drop
- eve-log:
enabled: yes
type: file
filename: eve-nsm.json
types:
- http
- dns
- tls
因此,这里的警报和drop进入“eve ips.json”,而http、dns和tls进入“eve nsm.json”。
除了 drop ,您可以指定相同记录器类型的倍数,但是, drop 只能使用一次。
注解
不赞成使用独立的json日志,如alert json日志、dns json日志等,并将在2020年6月之前删除。请使用上面记录的多个eve日志实例。请看 deprecation policy 更多信息。
15.1.1.12. 文件权限¶
可以为每个记录器单独设置日志文件权限。 filemode 可用于控制日志文件的权限,例如:
outputs:
- eve-log:
enabled: yes
filename: eve.json
filemode: 600
上面的示例将文件权限设置为 eve.json 到600,这意味着它只能由文件的所有者可读写。
15.1.1.13. JSON标志¶
可以指定多个标志来控制EVE中的JSON输出:
outputs:
- eve-log:
json:
# Sort object keys in the same order as they were inserted
preserve-order: yes
# Make the output more compact
compact: yes
# Escape all unicode characters outside the ASCII range
ensure-ascii: yes
# Escape the '/' characters in string with '\/'
escape-slash: yes
所有这些标志在默认情况下都是启用的,并且可以对每个EVE实例进行修改。
15.1.1.14. 社区流ID¶
通常,Suricata与Bro/Zeek等其他工具结合使用。启用EVE日志部分中的社区ID选项将添加一个新的 community_id 字段到每个输出。
例子::
{
"timestamp": "2003-12-16T13:21:44.891921+0000",
"flow_id": 1332028388187153,
"pcap_cnt": 1,
"event_type": "alert",
...
"community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
},
}
{
"timestamp": "2003-12-16T13:21:45.037333+0000",
"flow_id": 1332028388187153,
"event_type": "flow",
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 4,
"bytes_toserver": 338,
"bytes_toclient": 272,
"start": "2003-12-16T13:21:44.891921+0000",
"end": "2003-12-16T13:21:45.346457+0000",
"age": 1,
"state": "closed",
"reason": "shutdown",
"alerted": true
},
"community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
}
15.1.1.14.1. 选项¶
可以为EVE记录器的每个实例启用输出。
这个 community-id 选项是布尔值。如果设置为 true 已启用。这个 community-id-seed 选项指定一个无符号的16位值,该值用于为 community-id 输出。对于输出此记录的所有工具,必须将其设置为相同的值。
山药:
- eve-log:
# Community Flow ID
# Adds a 'community_id' field to EVE records. These are meant to give
# a records a predictable flow id that can be used to match records to
# output of other tools such as Bro.
#
# Takes a 'seed' that needs to be same across sensors and tools
# to make the id less predictable.
# enable/disable the community id feature.
community-id: false
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0
15.1.1.14.1.1. 多租户¶
Suricata可以配置为支持具有不同检测引擎配置的多个租户。当配置了这些租户并且检测引擎正在运行时,所有EVE日志记录也将报告 tenant_id 用于与特定租户匹配的流量的字段。