[Oisf-users] Indexing alert packet contents?

Cooper F. Nelson cnelson at ucsd.edu
Wed Mar 26 20:21:05 UTC 2014

Hash: SHA1

This is just my opinion, but I tend to think that the correct solution
is to integrate full indexed packet capture w/suricata.  The idea being
that you want to see the entire IP conversation, in context, to
understand exactly what happened.  Just grabbing the packet that
triggered the alert isn't always enough.

So, what I'm looking at doing is integrating indexed packet capture into
the process.  For that I'm planning on using the open source project,


This is also built on elasticsearch, so you can leverage your existing

Basically, my plan is to augment Kibana to allow an analyst to select an
IP and then either download that entire IP conversation as a pcap (for
viewing in wireshark), or simply redirect to the moloch frontend with
that IP conversation selected.

- -Coop

On 3/26/2014 1:02 PM, Matt wrote:
> I currently syslog alerts to a central server for storage.  To store
> packet contents, I write alert-debug to a unix socket on the sensor and
> read it with a perl script that does some filtering, writes the alerts
> to disk, and manages log rotation.  I'd really like to use this new
> elasticsearch fanciness to get indexed searches of packet contents with
> a pretty Kibana interface, but I don't see an easy way to do it.  It
> seems like it would be a no-brainer if the new eve format stored packet
> contents, but that doesn't appear to be the case.
> Does anyone here have a good solution for this?  Maybe write a unified2
> parser for logstash?  Or does it make sense to put in a feature request
> for eve to be able to output packets in the alert messages?
> Matt
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list