-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
labeling not finds any label #14
Comments
Hi Istvan, glad to help!
In case records have been found, these will be displayed in a table view. To generate the audit records use net.capture:
Now your working directory should look like this:
If you do now execute net.label and pass the pcap file for scanning, the alerts that were found will be mapped to the audit records, resulting in several CSV files with the _labeled extension:
In that case most likely there is an error in the regular expressions used for parsing, or there was a format update for the output in the latest suricate version. I will refactor netcap soon to use the eve.json log file instead, then the old regular expression based parsing logic will be become obsolete anyway and the alert parsing will be much more robust. Cheers, |
Seems like this was resolved, if not ping me via mail and I will reopen the issue. |
I have executed ssh-brute-force attack against my victim linux host, and it pops up in suricata's
fast.log, but after all, label command on my trace file shows nothing (even fast.log copied by label command is empty..)
fast.log:
09/20/2019-10:27:18.123609 [] [1:2001219:20] ET SCAN Potential SSH Scan [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.xx.xx.xx:44552 -> 192.xx.xx.xx:22
09/20/2019-10:27:20.198623 [] [1:10000001:1] Possible SSH brute forcing! [] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 172.xx.xx.xx:44560 -> 192.xx.xx.xx:22
labeling:
label -debug -r ../../sshbrute-attack.pcap
checking log dir: ../../sshbrute-attack
removing suricata logfiles from previous runs
scanning ../../sshbrute-attack.pcap with suricata...
done. reading logs from ../../sshbrute-attack/fast.log
parsing suricata fast.log
0 alerts ignored in labelMap
no labels found.
Could you please help, what I am missing?
The text was updated successfully, but these errors were encountered: