[Oisf-devel] [PATCH] numlog: new alert output

Sat Oct 1 14:39:32 UTC 2011

Hello,

On Sat, 2011-10-01 at 15:43 +0200, Victor Julien wrote:
> On 10/01/2011 02:14 AM, Eric Leblond wrote:
> > Hello,
> > 
> > Attached to this mail is a patch which brings a new output module
> > which aim is to provide a way to interact between suricata and pcap
> > parser like wireshark. This is a line based logging with a very
> > simple format: PKT_ID:SID:0:0:MSG The two zero values are to permit
> > to indicate the byte start and byte end of the matches. This has
> > not yet been done because it requires more modifications and it is
> > more intrusive. Using the PKT_ID, pcap parsers can then easily do a
> > link between suricata alerts and packets.
> > 
> > I've developed a wireshark plugin which uses this output to provide
> > a clean and efficient way to add suricata alerts information
> > inside wireshark: http://home.regit.org/software/suriwire/ This is
> > currently in alpha stage but it is already usable.
> > 
> > BR,
> 
> Good stuff Eric!

Thanks

> I think the format could include a few more parts of info:
> - rev and gid in addition to sid

Good idea.

> - http transaction id (I guess a generic tx id field)

Which structure is involved in that ? I've done a quick search without
success.

> A possible issue is that in certain conditions Suricata creates pseudo
> packets: ending streams that time out, handling tunnels, etc. In those
> cases the pcap_cnt will be 0.

Ok, in this case, I do not trigger an alert:

    if (p->pcap_cnt != 0) {

Maybe, it could be interesting to log the alert the parent packet if it
is not already done by suricata itself ?

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20111001/3ce459fb/attachment.sig>