failed to read eve.json file as a json

Question

failed to read eve.json file as a json

MalikAsadAwan opened this issue 6 years ago · comments

I am trying to read eve.json file and return to my client but there is error because eve.json is not in standard json format structure. Please help me how to read this file.

MalikAsadAwan commented 6 years ago

4.0.4

doomedraven · Answer 1 · Tue Apr 17 2018 01:06:05 GMT+0800 (China Standard Time)

version of suricata?

doomedraven · Answer 2 · Tue Apr 17 2018 01:22:03 GMT+0800 (China Standard Time)

can you post error from log? i have the same version and works just fine

MalikAsadAwan · Answer 3 · Tue Apr 17 2018 01:26:51 GMT+0800 (China Standard Time)

Unexpected token { in JSON at position 1876
at JSON.parse ()

MalikAsadAwan · Answer 4 · Tue Apr 17 2018 01:28:22 GMT+0800 (China Standard Time)

Also in my logs there is no usefull information like src_ip , src_port. see my logs are like this

{"timestamp":"2018-04-16T17:02:00.000396+0500","event_type":"stats","stats":{"uptime":8,"capture":{"kernel_packets":0,"kernel_drops":0},"decoder":{"pkts":0,"bytes":0,"invalid":0,"ipv4":0,"ipv6":0,"ethernet":0,"raw":0,"null":0,"sll":0,"tcp":0,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":0,"max_pkt_size":0,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":0,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7074304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2293760,"reassembly_memuse":327680},"detect":{"alert":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"file_store":{"open_files":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}

doomedraven · Answer 5 · Tue Apr 17 2018 01:40:45 GMT+0800 (China Standard Time)

no no, i mean cuckoo processing log as it starts suricata, but that is weird, is this happens with all or only one?

MalikAsadAwan · Answer 6 · Tue Apr 17 2018 01:54:53 GMT+0800 (China Standard Time)

Please share with me usefull link hoe to install suricata i think error is in installing suricata

doomedraven · Answer 7 · Tue Apr 17 2018 02:20:58 GMT+0800 (China Standard Time)

i suggest you do this if you want to speedup suricata a bit more

# Speedup suricata >= 3.1
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
# https://github.com/01org/hyperscan
cd /tmp
git clone https://github.com/01org/hyperscan.git
cd hyperscan/
mkdir builded
cd builded
sudo apt-get install cmake libboost-dev ragel libhtp2
# doxygen sphinx-common libpcap-dev
cmake -DBUILD_STATIC_AND_SHARED=1 ../
# tests
#bin/unit-hyperscan
make
sudo make install


# if we wan suricata with hyperscan:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev libjansson-dev libjansson4 pkg-config
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0


echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
sudo ldconfig

# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
cd /tmp
VER=4.0.4
wget "https://www.openinfosecfoundation.org/download/suricata-$VER.tar.gz"
tar -xvzf "suricata-$VER.tar.gz"
cd "suricata-$VER"
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
make
sudo make install-full
suricata --build-info|grep Hyperscan

"""
You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0

While rules are installed now, its highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
"""
touch /etc/suricata/threshold.config