[Oisf-users] Packet data in JSON
Eric Leblond
eric at regit.org
Wed Dec 17 15:18:40 UTC 2014
Hi,
On Wed, 2014-12-17 at 16:11 +0100, Michał Purzyński wrote:
> Hey, starting from 2.1beta1 Suricata can output packet data, base64
> encoded, in JSON. I decided to give it a try and am wondering, how do
> I convert the data to pcap format?
You can use scapy (http://www.secdev.org/projects/scapy/doc/index.html)
for that:
$ scapy
Welcome to Scapy (2.2.0)
>>> import base64
>>> packet = "2FDmPDJQ9MrlS21yCABFAAA0/nVAADQGosRnKXw3wKgBgaqAABZAL82qoYTE9YARAPrDawAAAQEICgdqPOgTApaN"
>>> p = Ether(base64.b64decode(packet))
>>> wrpcap("/tmp/payload.pcap",p)
Here you are.
++
>
> I'm talking about
>
> - eve-log:
> enabled: yes
> type: file
> filename: eve.json
> types:
> - alert:
> payload: yes
> payload-printable: yes
> packet: yes <--- this is interesting.
> http: yes
>
> I.e. the field in JSON
>
> "packet":"eP49SL<packet-data-here>TMfIgGpXxw=="}
>
> I can decode it using base64 -D and get a binary file, but it lacks
> pcap wrapping so I can't really open it with anything.
>
> Any ideas where to go from here?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list