17.1.3. Eve JSON 'jq' Examples
The jq tool is very useful for quickly parsing and filtering JSON files. This page is contains various examples of how it can be used with Suricata's Eve.json.
The basics are discussed here:
17.1.3.1. Colorize output
tail -f eve.json | jq -c '.'
17.1.3.2. DNS NXDOMAIN
tail -f eve.json|jq -c 'select(.dns.rcode=="NXDOMAIN")'
17.1.3.3. Unique HTTP User Agents
cat eve.json | jq -s '[.[]|.http.http_user_agent]|group_by(.)|map({key:.[0],value:(.|length)})|from_entries'
Source: https://twitter.com/mattarnao/status/601807374647750657
17.1.3.4. Data use for a host
tail -n500000 eve.json | jq -s 'map(select(.event_type=="netflow" and .dest_ip=="192.168.1.3").netflow.bytes)|add'|numfmt --to=iec
1.3G
Note: can use a lot of memory. Source: https://twitter.com/pkt_inspector/status/605524218722148352
17.1.3.5. Monitor part of the stats
$ tail -f eve.json | jq -c 'select(.event_type=="stats")|.stats.decoder'
17.1.3.6. Inspect Alert Data
cat eve.json | jq -r -c 'select(.event_type=="alert")|.payload'|base64 --decode
17.1.3.7. Top 10 Destination Ports
cat eve.json | jq -c 'select(.event_type=="flow")|[.proto, .dest_port]'|sort |uniq -c|sort -nr|head -n10