{"id":17017502,"url":"https://github.com/shivan1b/eve2test","last_synced_at":"2026-05-09T10:52:09.812Z","repository":{"id":97910004,"uuid":"185027402","full_name":"shivan1b/eve2test","owner":"shivan1b","description":"Script to convert eve.json into test.yaml file.","archived":false,"fork":false,"pushed_at":"2019-07-08T15:40:29.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-27T15:46:41.455Z","etag":null,"topics":["json","python","suricata","yaml"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shivan1b.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-05T12:19:18.000Z","updated_at":"2020-02-04T21:55:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"a03370b2-73c0-485b-9afb-370b7b5dd7f5","html_url":"https://github.com/shivan1b/eve2test","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivan1b%2Feve2test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivan1b%2Feve2test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivan1b%2Feve2test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivan1b%2Feve2test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shivan1b","download_url":"https://codeload.github.com/shivan1b/eve2test/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244977208,"owners_count":20541616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["json","python","suricata","yaml"],"created_at":"2024-10-14T06:36:47.845Z","updated_at":"2026-05-09T10:52:04.762Z","avatar_url":"https://github.com/shivan1b.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eve2test\nScript to convert eve.json into test.yaml file. This currently implements the functionality of creating the \"checks\" block in `test.yaml` from a given `eve.json`. You can add other configuration in the file thus created.\n\n## Usage\n```\n└─ $ ▶ ./bin/eve2test -h\nusage: eve2test [-h] [--eventtype-only] [--allow-events [ALLOW_EVENTS]]\n                \u003cpath-to-eve\u003e \u003coutput-path\u003e\n\nConvert eve.json to test.yaml\n\npositional arguments:\n  \u003cpath-to-eve\u003e         Path to eve.json\n  \u003coutput-path\u003e         Path to the folder where generated test.yaml should be\n                        put\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --eventtype-only      Create filter blocks based on count of event types only\n  --allow-events [ALLOW_EVENTS]\n                        Create filter blocks for the specified events\n```\n\n## Sample output file\n\nOn running the following command\n\n```\n└─ $ ▶ ./bin/eve2test eve.json ./test.yaml\n```\n\nA file `test.yaml` is create with the content as follows.\n\n```\n# *** Add configuration here ***\n\nchecks:\n  - filter:\n      count: 1\n      match:\n        event_type: alert\n        src_ip: 192.168.2.7\n        src_port: 1041\n        dest_ip: 208.75.250.50\n        dest_port: 80\n        proto: TCP\n        tx_id: 0\n        alert:\n          action: allowed\n          gid: 1\n          signature_id: 2001340\n          rev: 9\n          signature: \"ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)\"\n          category: A Network Trojan was detected\n          severity: 1\n        app_proto: http\n  - filter:\n      count: 1\n      match:\n        event_type: alert\n        src_ip: 192.168.2.7\n        src_port: 1041\n        dest_ip: 208.75.250.50\n        dest_port: 80\n        proto: TCP\n        app_proto: http\n        tx_id: 0\n        alert:\n          action: allowed\n          gid: 1\n          signature_id: 2001341\n          rev: 9\n          signature: \"ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)\"\n          category: A Network Trojan was detected\n          severity: 1\n\n```\n\nYou can also opt to create filters based on count of event types only. That will generate a rather compact test.yaml as follows. Please note that this creates filters only for the number of different event types.\n\nOn running\n```\n└─ $ ▶ ./bin/eve2test eve.json ./test.yaml --eventtype-only\n```\n\nthe content of `test.yaml` looks like\n```\n# *** Add configuration here ***\n\nchecks:\n  - filter:\n      count: 4\n      match:\n        event_type: alert\n  - filter:\n      count: 1\n      match:\n        event_type: http\n```\n\nAnother option for filter is to allow checks for certain event types only.\nOn running\n```\n└─ $ ▶ ./bin/eve2test eve.json ./test.yaml --allow-events alert,tls\n```\n\nthe content of `test.yaml` looks like\n```\nchecks:\n- filter:\n    count: 1\n    match:\n      dest_ip: 192.168.56.101\n      dest_port: 443\n      event_type: tls\n      pcap_cnt: 47\n      proto: TCP\n      src_ip: 192.168.56.1\n      src_port: 49368\n      tls:\n        fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b\n        issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS\n        ja3: {}\n        ja3s: {}\n        notafter: '2025-02-09T18:07:27'\n        notbefore: '2015-02-12T18:07:27'\n        serial: 00:97:E6:47:09:8E:EA:C9:B4\n        subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS\n        version: TLS 1.2\n- filter:\n    count: 1\n    match:\n      alert:\n        action: allowed\n        category: ''\n        gid: 1\n        rev: 1\n        severity: 3\n        signature: Stamus TLS\n        signature_id: 1\n      app_proto: tls\n      dest_ip: 192.168.56.1\n      dest_port: 49368\n      event_type: alert\n      flow:\n        bytes_toclient: 1821\n        bytes_toserver: 644\n        pkts_toclient: 4\n        pkts_toserver: 5\n        start: 2015-03-06T19:12:25.787108+0000\n      pcap_cnt: 49\n      proto: TCP\n      src_ip: 192.168.56.101\n      src_port: 443\n      tls:\n        fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b\n        issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS\n        ja3: {}\n        ja3s: {}\n        notafter: '2025-02-09T18:07:27'\n        notbefore: '2015-02-12T18:07:27'\n        serial: 00:97:E6:47:09:8E:EA:C9:B4\n        subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS\n        version: TLS 1.2\n      tx_id: 0\n- filter:\n    count: 1\n    match:\n      dest_ip: 192.168.56.101\n      dest_port: 443\n      event_type: tls\n      pcap_cnt: 99\n      proto: TCP\n      src_ip: 192.168.56.1\n      src_port: 49369\n      tls:\n        ja3: {}\n        ja3s: {}\n        session_resumed: true\n        version: TLS 1.2\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshivan1b%2Feve2test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshivan1b%2Feve2test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshivan1b%2Feve2test/lists"}