[Oisf-users] Indexing alert packet contents?

Cooper F. Nelson cnelson at ucsd.edu
Wed Mar 26 20:21:05 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is just my opinion, but I tend to think that the correct solution
is to integrate full indexed packet capture w/suricata.  The idea being
that you want to see the entire IP conversation, in context, to
understand exactly what happened.  Just grabbing the packet that
triggered the alert isn't always enough.

So, what I'm looking at doing is integrating indexed packet capture into
the process.  For that I'm planning on using the open source project,
Moloch:

https://github.com/aol/moloch

This is also built on elasticsearch, so you can leverage your existing
deployment.

Basically, my plan is to augment Kibana to allow an analyst to select an
IP and then either download that entire IP conversation as a pcap (for
viewing in wireshark), or simply redirect to the moloch frontend with
that IP conversation selected.

- -Coop

On 3/26/2014 1:02 PM, Matt wrote:
> I currently syslog alerts to a central server for storage.  To store
> packet contents, I write alert-debug to a unix socket on the sensor and
> read it with a perl script that does some filtering, writes the alerts
> to disk, and manages log rotation.  I'd really like to use this new
> elasticsearch fanciness to get indexed searches of packet contents with
> a pretty Kibana interface, but I don't see an easy way to do it.  It
> seems like it would be a no-brainer if the new eve format stored packet
> contents, but that doesn't appear to be the case.
> 
> Does anyone here have a good solution for this?  Maybe write a unified2
> parser for logstash?  Or does it make sense to put in a feature request
> for eve to be able to output packets in the alert messages?
> 
> Matt
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTMzaxAAoJEKIFRYQsa8FW0L8IAKkkjaN7p7kTTjdB0Oohrnlt
0W3VpaUzt/cMy1DAQ7K2sSzCKT+4Hpn9CRrAsbPSz3xSZEIEjPYpBgFF5Lvg581e
9F9ll/g7E5GJMbsmNccoC9fzKhLN1ZHBcOxBCRtNpZOWdJLwnZIY1Sz56KGaAsPZ
egvKWj/CkhNSG99CCrqIUk+JA+NEeXg73PVsK6beVloockLJxYRJe4Yirvi9H3UX
JWa6FC3nofsmYMJEW4Cr+9/XDPnnqOnXFEru02n/Io5jIZZEzl/2q+YvbVZnCNJ8
vmNoETEsYq3FS7eHqqLsha0c6Xq2Wemcv6yk6tccmEHCtwVv1plnPm5uewa8yRM=
=RJfW
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list