Hí,
cat eve.json | jq -c 'select(.alert and .http) | [.src_ip,.dest_ip,.http.http_method,.http.url,.alert.signature,.flow_id]' | ag -v IPREP | tr -d '"[]' | awk 'BEGIN{print "digraph \"G\"{graph[rank=same];ranksep=3;node[style=\"rounded,filled\" shape=box color=lightblue3];rankdir=LR;pin=true;forcelabels=true;splines=polyline;overlap=false;concentrate=true;edge[arrowhead=vee,arrowtail=inv,arrowsize=.7,color=cornflowerblue,fontsize=10,fontcolor=navy];"};{print "\""$1"\"" " -> " "\""$2"\"" " -> " "\""$3" " $4"\"" " -> " "\""$5"\"" "[label="$6"];"};END{print "}"}' FS=, | ag -v kumchakl1|dot -Gdpi=75 -Tpng | display -
…
cat eve.json|ag -v 'JA3|Firehol|Not Suspicious|Generic Protocol'|jq -c 'select(.alert) | [.src_ip,.dest_ip,.alert.category,.alert.signature,.flow_id]' | tr -d '"[]' | head |sed 's/null//' | awk 'BEGIN{print "digraph \"G\"{graph[rank=same];ranksep=3;node[style=\"rounded,filled\" shape=box color=lightblue3];rankdir=LR;pin=true;forcelabels=true;splines=polyline;overlap=false;concentrate=true;edge[arrowhead=vee,arrowtail=inv,arrowsize=.7,color=cornflowerblue,fontsize=10,fontcolor=navy];"};{print "\""$1"\"" " -> " "\""$2"\"" " -> " "\""$3"\"" " -> " "\""$4"\"" "[label="$5"];"};{print "\""$4"\"" "[shape=ellipse, color=lightgrey, style=filled, fillcolor=orange]","\""$1"\"" "[shape=ellipse, color=lightgrey, style=filled, fillcolor=khaki]","\""$2"\"" "[shape=ellipse, color=lightgrey, style=filled, fillcolor=palegreen]"};END{ print "}"}' FS=, | dot -Gdpi=100 -Tpng -o suricata.png
