jq adalah aplikasi yang boleh kita gunakan untuk parse file json (javascript object notation). Antara aplikasi yang menghasikan log dalam format json adalah suricata (ids/ips/nsm) dan cowrie (honeypot). Biasanya log dalam bentuk json ini saya hantar ke elastic stack.

Contoh penggunaan

 cat cowrie.json | jq . | less 
{
  "eventid": "cowrie.login.failed",
  "username": "admin",
  "timestamp": "2019-08-31T00:00:04.209691Z",
  "message": "login attempt [admin/atlantis] failed",
  "src_ip": "193.xx.xx.214",
  "session": "82880f663a67",
  "password": "atlantis",
  "sensor": "e5b92efa51f6"
}
{
  "eventid": "cowrie.login.failed",
  "username": "admin",
  "timestamp": "2019-08-31T00:00:05.406809Z",
  "message": "login attempt [admin/system] failed",
  "src_ip": "193.xx.xx.214",
  "session": "82880f663a67",
  "password": "system",
  "sensor": "e5b92efa51f6"
}
{
  "eventid": "cowrie.login.failed",
  "username": "admin",
  "timestamp": "2019-08-31T00:00:06.604531Z",
  "message": "login attempt [admin/barricade] failed",
  "src_ip": "193.xx.xx.214",
  "session": "82880f663a67",
  "password": "barricade",
  "sensor": "e5b92efa51f6"
}
{
  "eventid": "cowrie.session.connect",
  "src_ip": "45.xx.xx.105",
  "src_port": 35401,
  "timestamp": "2019-08-31T00:00:07.043507Z",
  "message": "New connection: 45.x.x.105:35401 (172.18.0.2:2223) [session: 766d83ab88f7]",
  "dst_ip": "172.18.0.2",
  "protocol": "telnet",
  "session": "766d83ab88f7",
  "dst_port": 2223,
  "sensor": "e5b92efa51f6"
}
 cat cowrie.json | jq 'select((.session=="663e08f0c547")) | select(.url!=null) ' | less -R 

{
  "eventid": "cowrie.session.file_download",
  "shasum": "1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
  "url": "hxxp://45.x.x.105:80/bins/meerkat.x86",
  "timestamp": "2019-08-31T00:00:18.845114Z",
  "destfile": "-",
  "src_ip": "45.x.x.105",
  "outfile": "var/lib/cowrie/downloads/1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
  "session": "663e08f0c547",
  "message": "Downloaded URL (hxxp://45.x.x.105:80/bins/meerkat.x86) with SHA-256 1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137 to var/lib/cowrie/downloads/1b2a75b21573156eb2231e6cc900709651ac50d8ccdd47a032b1129501555137",
  "sensor": "e5b92efa51f6"
}

 cat eve.json | jq 'select(.event_type == "http")' | less
 {
   "timestamp": "2019-08-26T06:44:24.003064+0000",
   "flow_id": 562952057717589,
   "event_type": "http",
   "src_ip": "a.b.c.d",
   "src_port": 50470,
   "dest_ip": "23.a.b.c ",
   "dest_port": 80,
   "proto": "TCP",
   "tx_id": 0,
   "http": {
     "hostname": "23.x.x.13",
     "url": "/zehir/z3hir.x86",
     "http_user_agent": "Wget/1.11.4",
     "http_method": "GET",
     "protocol": "HTTP/1.0",
     "length": 0
   }
 }
 {
   "timestamp": "2019-08-26T06:44:24.003336+0000",
   "flow_id": 1451441204939952,
   "event_type": "http",
   "src_ip": "a.b.c.d",
   "src_port": 50472,
   "dest_ip": "23.a.b.c",
   "dest_port": 80,
   "proto": "TCP",
   "tx_id": 0,
   "http": {
     "hostname": "23.a.b.c ",
     "url": "/zehir/z3hir.x86",
     "http_user_agent": "Wget/1.11.4",
     "http_method": "GET",
     "protocol": "HTTP/1.0",
     "length": 0
   }