Question

Question 1

Filter out only HTTP events from /var/log/suricata/old_eve.json using the the jq command-line JSON processor. Enter the flow_id that you will come across as your answer.

cat /var/log/suricata/old_eve.json | jq -c 'select(.event_type == "http")' | head -1 | jq .

---

Question 2

Enable the http-log output in suricata.yaml and run Suricata against /home/htb-student/pcaps/suspicious.pcap. Enter the requested PHP page as your answer. Answer format: _.php

• Enable http-log output in suricata.yaml

vim /etc/suricata/suricata.yaml

• Run Suricata in /home/htb-student/pcaps/suspicious.pcap

suricata -r /home/htb-student/pcaps/suspicious.pcap -k none -l .

• cat eve.json | jq | grep .php - This filter shows all .php entries.