Hi, i think only with fileinfo. Suricata 5.x: cat eve.json | jq -c 'select(.fileinfo)|.fileinfo.filename’ “/project.aspx” “/project.aspx” “/project.aspx” “/a.aspx” “/bounce.aspx” “/bounce.aspx” “/db.aspx” “/bounce.aspx” “/bounce.aspx” “zest2.cab” “/project.aspx” “/bounce.aspx” “/boun…

Suricata 6.0.0 rc1 JSON structure

suricatalfon (Suricatalfon) September 17, 2020, 5:54am 10

Hi,

I am seeing another major change in the json structure. In anomaly we have:

community_id
metadata.flowbits
anomaly events.

cat eve.json | jq 'select(.anomaly)|.flow_id,.anomaly’

On other occasions, it appears differently:

Best Regads,

Topic		Replies	Views
Suricata alerts / GraphViz Tips and Tricks	0	504	May 31, 2022
JQ cheat sheet for parsing Suricata EVE outputs Guides	0	1313	July 31, 2023
Integrating Suricata with Jupitor Note book for Hybrid IDS	1	154	December 4, 2023
Pcap_filename in eve.json is not accurate when using --pcap-file-continuous Developers bug	24	1252	May 16, 2022
Converting eve.json to CSV Help	3	312	January 4, 2023