[Oisf-users] Best way to GET packet content and sent it by email

[Andreas Moe]

When you say this output is a little differet from the packer, could you
specify? For example would it give normalized and decoded (ex. GRE, http
gzip payload), or tje raw "i matched on this packet" like unified records
are.

tir. 29. des. 2015, 17:48 skrev Jason Ish <lists at unx.ca>:

> On Mon, Dec 28, 2015 at 7:40 AM, Alan Wanderley dos Santos
> <alan.santos at rnp.br> wrote:
> > Hi all,
> >
> > I use a script to grab each event from fast.log. For each event, the
> script send a email with the event data (just the line from fast.log). How
> can i get packet data in human readable mode and send it in this same
> email? I try use pcap.log (and tcpdump for read it), but, there are not any
> kind of identification that i can connect an event with a specific packet
> data. I think use the time, but is not a effect way to do this(Can be 2 or
> N events in the same time). Other option is match every attribute from
> event to package data (ip_source, ip_dest, port_source, port_dest,
> protocol, time etc). But, i think that isan't the best way to do the job.
> >
> > Can you help-me guys?
>
> I'd look at the eve.log instead of the fast.log. It gives you the
> option to include the payload (a little different from the packet,
> usually more useful) in a printable format.  Its also JSON, so
> depending on what you are using for your script, it may be more useful
> as well.
>
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151229/ba9d60c5/attachment-0002.html>