Is there a way to extract hostnames from http packets using Suricata?
I’m new to Suricata and don’t know how to use it, so please let me know!
Suricata’s default configuration logs information about HTTP transactions. Here’s an example that shows the hostname:
{"timestamp":"2011-01-25T13:52:24.330674-0500","flow_id":2244432136331129,"pcap_cnt":382,"event_type":"http","src_ip":"192.168.3.131","src_port":55966,"dest_ip":"63.215.202.48","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"http":{"hostname":"altfarm.mediaplex.com","url":"/ad/js/12308-120034-307 21-0?mpt=[1627390274ER]&mpvc=","http_user_agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10","http_refer":"http://ca.msn.com/","http_method":"GET","protocol":"HTTP/1.1","status":302,"redirect":"http://img.mediaplex.com/content/0/1230 8/120034/1326513_300x250_new_year_v130_trend_en_c02.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12308-120034-30721-0%3Fmpt%3D%5B1627390274ER%5D&mpt=[1627390274ER]&mpvc=","length":0}}