A suricata JSON analyzer
- Support Both .pcap and .json inputs
- Output reStructuredText formated reports
- Automatically calls surricata
- Easily extensible to support other input and output file formats
Capefox: -f input .pcap/.json [options]
EG: ./Capefox -f suspiciousCapture.pcap -o output/capefox_report.rst
EG: ./Capefox -f data/eve.json -o output/capefox_report.rst
Option | Alt | Description |
---|---|---|
-h |
--help |
Display this help menu |
-f |
--file |
Path to the .pcap or eve.json to analize |
-o |
--output |
Report output path |
-c |
--config |
Path to a custom suricata config |
-s |
--suricata |
Path to a custom suricata executable |
In order to be able to build Capefox the following dependencies are needed:
- docker.io
- nlohmann-json3-dev
- suricata (7.0.0)
Please note that Capefox was designed to run with suricata 7.0.0. As such we recommend the use of the docker build as it bundles the right dependencies.
To compile & run in a docker container run:
cd capefox
make docker-build
make docker-run
Capefox -f suspiciousCapture.pcap -o output/capefox_report.rst
A shell from within the newly build docker container will open in the current working directory. You will then be able to acces your custom input and rules to use with capefox.
/!\ You should not prefix Capefox with "./" while in the docker container as Capefox will be available in the path, and located at "/usr/local/bin/Capefox"
- Do note that you may need to run these commands as root depending on your docker setup.
To compile & run locally run
cd Capefox
make rebuild
./Capefox -f suspiciousCapture.pcap -o output/capefox_report.rst
You can find sample Capefox report in the output folder