[Oisf-devel] [PATCH] numlog: new alert output

Victor Julien victor at inliniac.net
Sat Oct 1 13:43:35 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2011 02:14 AM, Eric Leblond wrote:
> Hello,
> 
> Attached to this mail is a patch which brings a new output module
> which aim is to provide a way to interact between suricata and pcap
> parser like wireshark. This is a line based logging with a very
> simple format: PKT_ID:SID:0:0:MSG The two zero values are to permit
> to indicate the byte start and byte end of the matches. This has
> not yet been done because it requires more modifications and it is
> more intrusive. Using the PKT_ID, pcap parsers can then easily do a
> link between suricata alerts and packets.
> 
> I've developed a wireshark plugin which uses this output to provide
> a clean and efficient way to add suricata alerts information
> inside wireshark: http://home.regit.org/software/suriwire/ This is
> currently in alpha stage but it is already usable.
> 
> BR,

Good stuff Eric!

I think the format could include a few more parts of info:
- - rev and gid in addition to sid
- - http transaction id (I guess a generic tx id field)

A possible issue is that in certain conditions Suricata creates pseudo
packets: ending streams that time out, handling tunnels, etc. In those
cases the pcap_cnt will be 0.

Cheers,
Victor

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6HGQcACgkQiSMBBAuniMfexACfUi15H+IK/uAhaGzKBqgAbgPi
EPYAnRVWNFplwuQOa7tf3cfA+7DjYagF
=sm41
-----END PGP SIGNATURE-----



More information about the Oisf-devel mailing list