[Oisf-users] Packet data in JSON
Victor Julien
lists at inliniac.net
Fri Dec 19 14:10:53 UTC 2014
On 12/17/2014 10:53 PM, Russell Fulton wrote:
>
> On 18/12/2014, at 8:48 am, Andreas Moe <moe.andreas at gmail.com> wrote:
>
>> Not a full script that tails the file, but its something. Say if you have some events, and want to look deeper into and you just have the eve.json file.
>>
>> https://github.com/Maxtors/evepcapparser
>>
>
> nice!
>
> What I would like to do is take a series of packets from one of the higher level parsers and turn that into a single pcap file. Either from json or from the data table in the database.
>
> The problem is having some automated way of linking the packets to a single event. So far as I can see each packet is logged as a separate alert. Is there anything logged that connects them?
>
> Bro does this by having a unique is that is attached to a stream.
>
Maybe we can consider supporting the tag keyword in the json out as
well. In 2.1 there is a unique identifier per bidirectional flow that is
added to all logs for that flow. So an alert + some tags could be tied
together that way.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list