[Oisf-users] Packet data in JSON
Victor Julien
lists at inliniac.net
Wed Dec 17 16:48:23 UTC 2014
On 12/17/2014 04:18 PM, Eric Leblond wrote:
> Hi,
>
> On Wed, 2014-12-17 at 16:11 +0100, Michał Purzyński wrote:
>> Hey, starting from 2.1beta1 Suricata can output packet data, base64
>> encoded, in JSON. I decided to give it a try and am wondering, how do
>> I convert the data to pcap format?
>
> You can use scapy (http://www.secdev.org/projects/scapy/doc/index.html)
> for that:
>
> $ scapy
> Welcome to Scapy (2.2.0)
>>>> import base64
>>>> packet = "2FDmPDJQ9MrlS21yCABFAAA0/nVAADQGosRnKXw3wKgBgaqAABZAL82qoYTE9YARAPrDawAAAQEICgdqPOgTApaN"
>>>> p = Ether(base64.b64decode(packet))
>>>> wrpcap("/tmp/payload.pcap",p)
>
Nice one Eric. Someone should write script to tail eve.json and write
pcaps in the <sid>.pcap format...
Although it's just a single packet currently. Would like to add more,
but not sure how yet.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list