I want to convert misp eve.json file into suricata rules any python library you can suggest?
Hi, and welcome to the community!
If you’re asking how to convert the output file eve.json
which contains alerts and log records into rules, I’m not sure what the problem is you’re trying to solve.
eve.json
contains alerts – generated by the rules used by Suricata as it inspects traffic.
eve.json
also contains logging information – which may or may not be associated with the generated alerts – obtained from the traffic it inspects.
Alert generation is part of Suricata’s IDS (or IPS) functionality (intrusion detection, intrusion prevention). Logging is part of Suricata’s NSM (network security monitoring) function.
Yes it is the json file ,it contains alert and log records. How to convert it to the suricata rules?
Good morning.
Your picture is not of Suricata’s eve.json
file.
Note that the eve.json
file contains alerts generated by rules so it’s not clear why you’d want to transform the alerts back into the rules that generated the alerts. Note that each alert contains the signature id of the rule that triggered the alert.
Good morning,
Yes actually it is a json file of the event we create in MISP. It holds all the information related to the events created in the MISP.
As far as I understood that above json file is the exported MISP event (same are available here ) and you want to write python code to convert MISP json to Suricata rule right?
Yes, exactly and yes It’s exported event from misp.