[Oisf-users] Packet data in JSON
Andreas Moe
moe.andreas at gmail.com
Wed Dec 17 19:48:51 UTC 2014
Not a full script that tails the file, but its something. Say if you have
some events, and want to look deeper into and you just have the eve.json
file.
https://github.com/Maxtors/evepcapparser
2014-12-17 17:48 GMT+01:00 Victor Julien <lists at inliniac.net>:
>
> On 12/17/2014 04:18 PM, Eric Leblond wrote:
> > Hi,
> >
> > On Wed, 2014-12-17 at 16:11 +0100, Michał Purzyński wrote:
> >> Hey, starting from 2.1beta1 Suricata can output packet data, base64
> >> encoded, in JSON. I decided to give it a try and am wondering, how do
> >> I convert the data to pcap format?
> >
> > You can use scapy (http://www.secdev.org/projects/scapy/doc/index.html)
> > for that:
> >
> > $ scapy
> > Welcome to Scapy (2.2.0)
> >>>> import base64
> >>>> packet =
> "2FDmPDJQ9MrlS21yCABFAAA0/nVAADQGosRnKXw3wKgBgaqAABZAL82qoYTE9YARAPrDawAAAQEICgdqPOgTApaN"
> >>>> p = Ether(base64.b64decode(packet))
> >>>> wrpcap("/tmp/payload.pcap",p)
> >
>
> Nice one Eric. Someone should write script to tail eve.json and write
> pcaps in the <sid>.pcap format...
>
> Although it's just a single packet currently. Would like to add more,
> but not sure how yet.
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141217/d961f24f/attachment-0002.html>
More information about the Oisf-users
mailing list