parsing suricata logs with python script.
by ////// from LinuxQuestions.org on (#53D58)
hello all.
ive got a problem with suricata_extractor.py.
no matter what i do it throws up an error.
Code:# ./suricata_extractor.py -f /home/vile/Downloads/sample_eve.json
File "./suricata_extractor.py", line 187
print '\ncat:{}, sev:{}, sig:{}, srcip:{}, dstip:{}, srcp:{}, dstp:{}'.format(
^
SyntaxError: invalid syntaxpart of python script is here :
Code: Receive a flow and use it
"""
# If we were told to get the bandwidth, do ti
if args.bandwidth:
if 'TCP' in proto:
try:
data = self.bandwidth[dstport]
self.bandwidth[dstport] += bytes_toserver \
+ bytes_toclient
except KeyError:
self.bandwidth[dstport] = bytes_toserver \
+ bytes_toclient
def add_alert(
self,
category,
severity,
signature,
src_ip,
dst_ip,
srcport,
destport,
):
"""
Receive an alert and it adds it to the TW
"""
# Categories
if args.debug > 1:
print '\ncat:{}, sev:{}, sig:{}, srcip:{}, dstip:{}, srcp:{}, dstp:{}'.format(
category,
severity,
signature,
src_ip,
dst_ip,
srcport,
destport,
)
if category == '':
try:
self.categories['Unknown Traffic'] += 1
except KeyError:
self.categories['Unknown Traffic'] = 1
else:
try:
self.categories[category] += 1
except KeyError:
self.categories[category] = 1
# Severities
try:
self.severities[int(severity)] += 1
except KeyError:
self.severities[int(severity)] = 1
# Signatures
try:
self.signatures[signature] += 1
except KeyError:
self.signatures[signature] = 1
# Srcip
try:
self.src_ips[src_ip] += 1
except KeyError:
self.src_ips[src_ip] = 1
# Dstip
try:
self.dst_ips[dst_ip] += 1
except KeyError:
self.dst_ips[dst_ip] = 1
# Srcport
try:
self.src_ports[srcport] += 1
except KeyError:
self.src_ports[srcport] = 1
# dstport
try:
self.dst_ports[destport] += 1
except KeyError:
self.dst_ports[destport] = 1full log parser is here :
https://pastebin.com/ytvVGniF
and here is sample_eve.json :
Code:{"timestamp":"2017-05-05T21:49:10.398838+0200","flow_id":848899601733110,"in_iface":"eth3.2302","event_type":"dns","src_ip":"81.30.240.203","src_port":46304,"dest_ip":"147.32.80.9","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6969,"rrname":"iphonesubmissions.apple.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.399367+0200","flow_id":848899601733110,"in_iface":"eth3.2302","event_type":"dns","src_ip":"147.32.80.9","src_port":53,"dest_ip":"81.30.240.203","dest_port":46304,"proto":"UDP","dns":{"type":"answer","id":6969,"rcode":"REFUSED","rrname":"iphonesubmissions.apple.com"}}
{"timestamp":"2017-05-05T21:49:10.495594+0200","flow_id":1833172962021354,"in_iface":"eth3.2302","event_type":"alert","src_ip":"45.55.10.206","src_port":57362,"dest_ip":"147.32.82.3","dest_port":5632,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2402000,"rev":4433,"signature":"ET DROP Dshield Block Listed Source group 1","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.495594+0200","flow_id":1833172962021354,"in_iface":"eth3.2302","event_type":"alert","src_ip":"45.55.10.206","src_port":57362,"dest_ip":"147.32.82.3","dest_port":9999,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403345,"rev":3524,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 46","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.540270+0200","flow_id":1258188510215441,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.81.184","src_port":3389,"dest_ip":"5.8.50.70","dest_port":9259,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.548109+0200","flow_id":514493448084749,"in_iface":"eth3.2302","event_type":"alert","src_ip":"218.90.83.226","src_port":46317,"dest_ip":"147.32.82.3","dest_port":5632,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2010935,"rev":2,"signature":"ET POLICY Suspicious inbound to MSSQL port 1433","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-05-05T21:49:10.669889+0200","flow_id":72545608284353,"in_iface":"eth3.2302","event_type":"alert","src_ip":"218.90.83.226","src_port":10980,"dest_ip":"147.32.82.3","dest_port":9999,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403368,"rev":3524,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 69","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.679773+0200","flow_id":1120358714745798,"in_iface":"eth3.2302","event_type":"http","src_ip":"147.32.83.134","src_port":45128,"dest_ip":"5.189.169.136","dest_port":7080,"proto":"TCP","tx_id":0,"http":{"hostname":"bo1.tryb.de","url":"\/","http_user_agent":"bo-android","http_content_type":"application\/json","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3}}
{"timestamp":"2017-05-05T21:49:10.679773+0200","flow_id":1120358714745798,"in_iface":"eth3.2302","event_type":"fileinfo","src_ip":"147.32.83.134","src_port":45128,"dest_ip":"5.189.169.136","dest_port":7080,"proto":"TCP","http":{"hostname":"bo1.tryb.de","url":"\/","http_user_agent":"bo-android","http_content_type":"application\/json","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/","state":"CLOSED","md5":"c45daac3b2ec2b3b8b807e235b2c5f48","stored":false,"size":47,"tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.722807+0200","flow_id":796045734184823,"in_iface":"eth3.2302","event_type":"alert","src_ip":"46.229.238.172","src_port":19806,"dest_ip":"147.32.80.79","dest_port":6667,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2522818,"rev":2952,"signature":"ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group 410","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.767194+0200","flow_id":1857907678688474,"in_iface":"eth3.2302","event_type":"alert","src_ip":"190.215.43.162","src_port":58011,"dest_ip":"147.32.83.193","dest_port":3389,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001972,"rev":19,"signature":"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)","category":"Detection of a Network Scan","severity":3}}
{"timestamp":"2017-05-05T21:49:10.794801+0200","flow_id":1488720879848259,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.129","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57953,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.800391+0200","flow_id":295050684038710,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.33","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57951,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.803136+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2001:0718:0002:1611:0000:0001:0000:0090","src_port":56556,"dest_ip":"2600:9000:5300:5900:0000:0000:0000:0001","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44034,"rrname":"tag.crsspxl.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.820059+0200","flow_id":599761433843487,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.81.61","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57960,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.826899+0200","flow_id":2073098425131429,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.146","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57958,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"23.23.137.33"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"23.21.126.194"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"107.22.249.166"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"54.243.242.36"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-1524.awsdns-62.org"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-1829.awsdns-36.co.uk"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-648.awsdns-17.net"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-89.awsdns-11.com"}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.82.3","dest_port":5222,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230010,"rev":1,"signature":"SURICATA TLS invalid record\/traffic","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.80.88","dest_port":5222,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230015,"rev":1,"signature":"SURICATA TLS invalid record version","category":"Generic Protocol Command Decode","severity":3}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.80.88","dest_port":5222,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"alert":{"action":"allowed","gid":1,"signature_id":2260002,"rev":1,"signature":"SURICATA Applayer Detect protocol only one direction","category":"Generic Protocol Command Decode","severity":3}}
{"timestamp":"2017-05-05T21:49:10.839729+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.88","src_port":5222,"dest_ip":"74.201.35.42","dest_port":7802,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230010,"rev":1,"signature":"SURICATA TLS invalid record\/traffic","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"}}
{"timestamp":"2017-05-05T21:49:10.839729+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.88","src_port":5222,"dest_ip":"74.201.35.42","dest_port":7802,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230015,"rev":1,"signature":"SURICATA TLS invalid record version","category":"Generic Protocol Command Decode","severity":3}}i am lost here, dont know python much.
ive got a problem with suricata_extractor.py.
no matter what i do it throws up an error.
Code:# ./suricata_extractor.py -f /home/vile/Downloads/sample_eve.json
File "./suricata_extractor.py", line 187
print '\ncat:{}, sev:{}, sig:{}, srcip:{}, dstip:{}, srcp:{}, dstp:{}'.format(
^
SyntaxError: invalid syntaxpart of python script is here :
Code: Receive a flow and use it
"""
# If we were told to get the bandwidth, do ti
if args.bandwidth:
if 'TCP' in proto:
try:
data = self.bandwidth[dstport]
self.bandwidth[dstport] += bytes_toserver \
+ bytes_toclient
except KeyError:
self.bandwidth[dstport] = bytes_toserver \
+ bytes_toclient
def add_alert(
self,
category,
severity,
signature,
src_ip,
dst_ip,
srcport,
destport,
):
"""
Receive an alert and it adds it to the TW
"""
# Categories
if args.debug > 1:
print '\ncat:{}, sev:{}, sig:{}, srcip:{}, dstip:{}, srcp:{}, dstp:{}'.format(
category,
severity,
signature,
src_ip,
dst_ip,
srcport,
destport,
)
if category == '':
try:
self.categories['Unknown Traffic'] += 1
except KeyError:
self.categories['Unknown Traffic'] = 1
else:
try:
self.categories[category] += 1
except KeyError:
self.categories[category] = 1
# Severities
try:
self.severities[int(severity)] += 1
except KeyError:
self.severities[int(severity)] = 1
# Signatures
try:
self.signatures[signature] += 1
except KeyError:
self.signatures[signature] = 1
# Srcip
try:
self.src_ips[src_ip] += 1
except KeyError:
self.src_ips[src_ip] = 1
# Dstip
try:
self.dst_ips[dst_ip] += 1
except KeyError:
self.dst_ips[dst_ip] = 1
# Srcport
try:
self.src_ports[srcport] += 1
except KeyError:
self.src_ports[srcport] = 1
# dstport
try:
self.dst_ports[destport] += 1
except KeyError:
self.dst_ports[destport] = 1full log parser is here :
https://pastebin.com/ytvVGniF
and here is sample_eve.json :
Code:{"timestamp":"2017-05-05T21:49:10.398838+0200","flow_id":848899601733110,"in_iface":"eth3.2302","event_type":"dns","src_ip":"81.30.240.203","src_port":46304,"dest_ip":"147.32.80.9","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6969,"rrname":"iphonesubmissions.apple.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.399367+0200","flow_id":848899601733110,"in_iface":"eth3.2302","event_type":"dns","src_ip":"147.32.80.9","src_port":53,"dest_ip":"81.30.240.203","dest_port":46304,"proto":"UDP","dns":{"type":"answer","id":6969,"rcode":"REFUSED","rrname":"iphonesubmissions.apple.com"}}
{"timestamp":"2017-05-05T21:49:10.495594+0200","flow_id":1833172962021354,"in_iface":"eth3.2302","event_type":"alert","src_ip":"45.55.10.206","src_port":57362,"dest_ip":"147.32.82.3","dest_port":5632,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2402000,"rev":4433,"signature":"ET DROP Dshield Block Listed Source group 1","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.495594+0200","flow_id":1833172962021354,"in_iface":"eth3.2302","event_type":"alert","src_ip":"45.55.10.206","src_port":57362,"dest_ip":"147.32.82.3","dest_port":9999,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403345,"rev":3524,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 46","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.540270+0200","flow_id":1258188510215441,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.81.184","src_port":3389,"dest_ip":"5.8.50.70","dest_port":9259,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.548109+0200","flow_id":514493448084749,"in_iface":"eth3.2302","event_type":"alert","src_ip":"218.90.83.226","src_port":46317,"dest_ip":"147.32.82.3","dest_port":5632,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2010935,"rev":2,"signature":"ET POLICY Suspicious inbound to MSSQL port 1433","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-05-05T21:49:10.669889+0200","flow_id":72545608284353,"in_iface":"eth3.2302","event_type":"alert","src_ip":"218.90.83.226","src_port":10980,"dest_ip":"147.32.82.3","dest_port":9999,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403368,"rev":3524,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 69","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.679773+0200","flow_id":1120358714745798,"in_iface":"eth3.2302","event_type":"http","src_ip":"147.32.83.134","src_port":45128,"dest_ip":"5.189.169.136","dest_port":7080,"proto":"TCP","tx_id":0,"http":{"hostname":"bo1.tryb.de","url":"\/","http_user_agent":"bo-android","http_content_type":"application\/json","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3}}
{"timestamp":"2017-05-05T21:49:10.679773+0200","flow_id":1120358714745798,"in_iface":"eth3.2302","event_type":"fileinfo","src_ip":"147.32.83.134","src_port":45128,"dest_ip":"5.189.169.136","dest_port":7080,"proto":"TCP","http":{"hostname":"bo1.tryb.de","url":"\/","http_user_agent":"bo-android","http_content_type":"application\/json","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/","state":"CLOSED","md5":"c45daac3b2ec2b3b8b807e235b2c5f48","stored":false,"size":47,"tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.722807+0200","flow_id":796045734184823,"in_iface":"eth3.2302","event_type":"alert","src_ip":"46.229.238.172","src_port":19806,"dest_ip":"147.32.80.79","dest_port":6667,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2522818,"rev":2952,"signature":"ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group 410","category":"Misc Attack","severity":2}}
{"timestamp":"2017-05-05T21:49:10.767194+0200","flow_id":1857907678688474,"in_iface":"eth3.2302","event_type":"alert","src_ip":"190.215.43.162","src_port":58011,"dest_ip":"147.32.83.193","dest_port":3389,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001972,"rev":19,"signature":"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)","category":"Detection of a Network Scan","severity":3}}
{"timestamp":"2017-05-05T21:49:10.794801+0200","flow_id":1488720879848259,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.129","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57953,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.800391+0200","flow_id":295050684038710,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.33","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57951,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.803136+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2001:0718:0002:1611:0000:0001:0000:0090","src_port":56556,"dest_ip":"2600:9000:5300:5900:0000:0000:0000:0001","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44034,"rrname":"tag.crsspxl.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-05-05T21:49:10.820059+0200","flow_id":599761433843487,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.81.61","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57960,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.826899+0200","flow_id":2073098425131429,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.146","src_port":3389,"dest_ip":"190.215.43.162","dest_port":57958,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001330,"rev":8,"signature":"ET POLICY RDP connection confirm","category":"Misc activity","severity":3}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"23.23.137.33"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"23.21.126.194"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"107.22.249.166"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"tag.crsspxl.com","rrtype":"A","ttl":60,"rdata":"54.243.242.36"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-1524.awsdns-62.org"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-1829.awsdns-36.co.uk"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-648.awsdns-17.net"}}
{"timestamp":"2017-05-05T21:49:10.832688+0200","flow_id":1940830612242752,"in_iface":"eth3.2302","event_type":"dns","src_ip":"2600:9000:5300:5900:0000:0000:0000:0001","src_port":53,"dest_ip":"2001:0718:0002:1611:0000:0001:0000:0090","dest_port":56556,"proto":"UDP","dns":{"type":"answer","id":44034,"rcode":"NOERROR","rrname":"crsspxl.com","rrtype":"NS","ttl":41728,"rdata":"ns-89.awsdns-11.com"}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.82.3","dest_port":5222,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230010,"rev":1,"signature":"SURICATA TLS invalid record\/traffic","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.80.88","dest_port":5222,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230015,"rev":1,"signature":"SURICATA TLS invalid record version","category":"Generic Protocol Command Decode","severity":3}}
{"timestamp":"2017-05-05T21:49:10.837881+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"74.201.35.42","src_port":7802,"dest_ip":"147.32.80.88","dest_port":5222,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"alert":{"action":"allowed","gid":1,"signature_id":2260002,"rev":1,"signature":"SURICATA Applayer Detect protocol only one direction","category":"Generic Protocol Command Decode","severity":3}}
{"timestamp":"2017-05-05T21:49:10.839729+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.88","src_port":5222,"dest_ip":"74.201.35.42","dest_port":7802,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230010,"rev":1,"signature":"SURICATA TLS invalid record\/traffic","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"}}
{"timestamp":"2017-05-05T21:49:10.839729+0200","flow_id":852962640826286,"in_iface":"eth3.2302","event_type":"alert","src_ip":"147.32.80.88","src_port":5222,"dest_ip":"74.201.35.42","dest_port":7802,"proto":"TCP","tls":{"sni":"agents.felk.cvut.cz","version":"0x3f78"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2230015,"rev":1,"signature":"SURICATA TLS invalid record version","category":"Generic Protocol Command Decode","severity":3}}i am lost here, dont know python much.