[Bro] Converting Notice::Info to JSON
Dave Crawford
bro at pingtrip.com
Wed Feb 1 05:05:04 PST 2017
> On Jan 31, 2017, at 3:39 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
>
>> On Jan 31, 2017, at 11:16 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>>
>> You could probably avoid the whole issue by using to_json like this:
>>
>> to_json(note, T);
>>
>> to set the only_loggable option to true which should cause it to ignore fields that aren't normally logged in the first place.
>>
>> --
>> - Justin Azoff
>>
>
A follow-up question on to_json() is if the function is always producing valid JSON? As an example:
to_json(n, T)
Produces a few field values that aren’t properly quoted, or in the case of Booleans, not converting T/F to true/false:
{"proto": tcp, "peer_descr": "bro", "id": {"resp_h": "199.192.156.134", "resp_p": 443, "orig_h": "10.0.2.15", "orig_p": 1381}, "dst": "199.192.156.134", "p": 443, "sub": "POST /bbs/info.asp HTTP/1.1\\x0d\\x0aHost: 199.192.156.134:443\\x0d\\x0aContent-Length: 165\\x0d\\x0aConnection: Keep-Alive\\x0d\\x0aCache-Control: no-cache\\x0d\\x0a\\x0d\\x0a3D333531501A...", "suppress_for": "", "src": "10.0.2.15", "msg": "10.0.2.15: ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator)", "note": Signatures::Sensitive_Signature, "ts": 1485952936.47094, "uid": "CZwEv13Gadjmnaf6W6", "dropped": F, "actions": [Notice::ACTION_LOG, Phantom::ACTION_TEST]}
-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170201/4f466084/attachment-0001.html
More information about the Bro
mailing list