Integrating Suricata with Jupitor Note book for Hybrid IDS

jemilj · December 3, 2023, 10:09am

Dears any body can help am working on project with hybrids IDS and Wanted help to send EVE,Jason file which is not type alert and map it to jupitor note book to input the to Decision tree testing phase the specific quires listed below

→ how do i write a script that can automatically pick eve.json file split the file and retrive event that are not of type ‘Alert’
→ how can i generate labelled dataset from eve.json that can be used for machine learning classification algorithm mainly (Decision tree)
→ how do i map the event type that are not type alert and map it to pandas data frame change from labelled dataset to unlabbeled dataset

markuskont · December 4, 2023, 9:06am

Hi,

Just read the file in Python, looping over each line. For each line, decode the JSON and append the decoded data into a list. Keep in mind that it’s all in memory, it’s easy to run out if EVE file is large.
pandas.json_normalize — pandas 2.1.3 documentation - just pass the resulting list to this method to get a dataframe. It handles nested JSON just fine but does not deal with lists of dictionaries;
Write a python function that has only one input argument and one output. Input is the raw data as given by suricata, output is whatever label you need. Then apply over a dataframe column;

You can use this notebook for reference.

github.com

StamusNetworks/suricata-analytics/blob/main/jupyter/Notebooks/JupyterPlaybooksForSuricata.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "eece3b24-7968-49b4-a9fe-db5a8a7135a4",
   "metadata": {},
   "source": [
    "# Jupyter Playbooks for Suricata\n",
    "\n",
    "Author: Markus Kont"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "f8911b32-792d-4d38-bd8b-a7006f88c011",
   "metadata": {},
   "source": [
    "## Introduction\n",
    "\n",
    "Back in 2022, I did a Suricon presentation titled [Jupyter Playbooks for Suricata](https://youtu.be/hevTFubjlDQ). The goal of that presentation was to introduce JupyterLab to security practitioners who work with Suricata. Many people are familiar with exploring Suricata EVE output using established technology stacks such as Elastic stack, Splunk, etc. Yet might be unfamiliar with tools from data science world. Amazingly, a lot of people are still totally unfamiliar with EVE NSM data. It's 2023 and Suricata is still considered by many to be only a rule based IDS, even going so far that Suricata is often deployed in tandem with NSM logging tools as people believe Suricata is unable to fill the role.\n",

This file has been truncated. show original

Topic		Replies	Views
How to convert eve.json file to suricata rules Rules community , suricata	6	1433	December 27, 2021
Can I use a Suricata IDS alert to trigger some python code? Help	6	1904	July 18, 2020
JQ cheat sheet for parsing Suricata EVE outputs Guides	0	2099	July 31, 2023
Eve.json only shows "event_type":"flow" Help	7	1616	October 22, 2020
Converting eve.json to CSV Help	3	401	January 4, 2023

Integrating Suricata with Jupitor Note book for Hybrid IDS

Related topics