Suricata alerts/severity

Suricata alerts according to security level ($8<=2) and quantity…

jq -c 'select(.alert.signature)|[.flow_id,.src_ip,.src_port,.dest_ip,.dest_port,.app_proto,.alert.signature,.alert.severity]' eve.json|tr -d '"[]'|egrep -iv 'Dropbox|HUNT|DynDNS'|awk '$8<=2 {a[$0]++;}END{for (i in a)print i, a[i]}' FS=, OFS=,|sort -grt, -k9|head -n60|sed '1i\Flow_ID,Origen,PuertoO,Destino,PuertoD,Proto_App,Alerta,Severity,Num'|column -s, -txne|colout 'Flow_ID.*' orange reverse

2 Likes