12.1.3. Eve JSON ‘jq’ Examples

The jq tool is very useful for quickly parsing and filtering JSON files. This page is contains various examples of how it can be used with Suricata’s Eve.json.

The basics are discussed here:

12.1.3.1. Colorize output

tail -f eve.json | jq -c '.'

12.1.3.2. DNS NXDOMAIN

tail -f eve.json|jq -c 'select(.dns.rcode=="NXDOMAIN")'

12.1.3.3. Unique HTTP User Agents

cat eve.json | jq -s '[.[]|.http.http_user_agent]|group_by(.)|map({key:.[0],value:(.|length)})|from_entries'

Source: https://twitter.com/mattarnao/status/601807374647750657

12.1.3.4. Data use for a host

tail -n500000 eve.json | jq -s 'map(select(.event_type=="netflow" and .dest_ip=="192.168.1.3").netflow.bytes)|add'|numfmt --to=iec
1.3G

Note: can use a lot of memory. Source: https://twitter.com/pkt_inspector/status/605524218722148352

12.1.3.5. Monitor part of the stats

$ tail -f eve.json | jq -c 'select(.event_type=="stats")|.stats.decoder'

12.1.3.6. Inspect Alert Data

cat eve.json | jq -r -c 'select(.event_type=="alert")|.payload'|base64 --decode

12.1.3.7. Top 10 Destination Ports

cat eve.json | jq -c 'select(.event_type=="flow")|[.proto, .dest_port]'|sort |uniq -c|sort -nr|head -n10