#29 - jq & json
jq adalah aplikasi yang boleh kita gunakan untuk parse file json (javascript object notation). Antara aplikasi yang menghasikan log dalam format json adalah suricata (ids/ips/nsm) dan cowrie (honeypot). Biasanya log dalam bentuk json ini saya hantar ke elastic stack.
Contoh penggunaan
cat cowrie.json | jq . | less
{
"eventid": "cowrie.login.failed",
"username": "admin",
"timestamp": "2019-08-31T00:00:04.209691Z",
"message": "login attempt [admin/atlantis] failed",
"src_ip": "193.xx.xx.214",
"session": "82880f663a67",
"password": "atlantis",
"sensor": "e5b92efa51f6"
}
{
"eventid": "cowrie.login.failed",
"username": "admin",
"timestamp": "2019-08-31T00:00:05.406809Z",
"message": "login attempt [admin/system] failed",
"src_ip": "193.xx.xx.214",
"session": "82880f663a67",
"password": "system",
"sensor": "e5b92efa51f6"
}
{
"eventid": "cowrie.login.failed",
"username": "admin",
"timestamp": "2019-08-31T00:00:06.604531Z",
"message": "login attempt [admin/barricade] failed",
"src_ip": "193.xx.xx.214",
"session": "82880f663a67",
"password": "barricade",
"sensor": "e5b92efa51f6"
}
{
"eventid": "cowrie.session.connect",
"src_ip": "45.xx.xx.105",
"src_port": 35401,
"timestamp": "2019-08-31T00:00:07.043507Z",
"message": "New connection: 45.x.x.105:35401 (172.18.0.2:2223) [session: 766d83ab88f7]",
"dst_ip": "172.18.0.2",
"protocol": "telnet",
"session": "766d83ab88f7",
"dst_port": 2223,
"sensor": "e5b92efa51f6"
}
cat cowrie.json | jq 'select((.session=="663e08f0c547")) | select(.url!=null) ' | less -R
{
"eventid": "cowrie.session.file_download",
"shasum": "1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
"url": "hxxp://45.x.x.105:80/bins/meerkat.x86",
"timestamp": "2019-08-31T00:00:18.845114Z",
"destfile": "-",
"src_ip": "45.x.x.105",
"outfile": "var/lib/cowrie/downloads/1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
"session": "663e08f0c547",
"message": "Downloaded URL (hxxp://45.x.x.105:80/bins/meerkat.x86) with SHA-256 1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137 to var/lib/cowrie/downloads/1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
"sensor": "e5b92efa51f6"
}
cat eve.json | jq 'select(.event_type == "http")' | less
{
"timestamp": "2019-08-26T06:44:24.003064+0000",
"flow_id": 562952057717589,
"event_type": "http",
"src_ip": "a.b.c.d",
"src_port": 50470,
"dest_ip": "23.a.b.c ",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"http": {
"hostname": "23.x.x.13",
"url": "/zehir/z3hir.x86",
"http_user_agent": "Wget/1.11.4",
"http_method": "GET",
"protocol": "HTTP/1.0",
"length": 0
}
}
{
"timestamp": "2019-08-26T06:44:24.003336+0000",
"flow_id": 1451441204939952,
"event_type": "http",
"src_ip": "a.b.c.d",
"src_port": 50472,
"dest_ip": "23.a.b.c",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"http": {
"hostname": "23.a.b.c ",
"url": "/zehir/z3hir.x86",
"http_user_agent": "Wget/1.11.4",
"http_method": "GET",
"protocol": "HTTP/1.0",
"length": 0
}
Selamat mencuba!
[1] JQ CheatSheet https://lzone.de/cheat-sheet/jq