[Oisf-users] Best way to GET packet content and sent it by email

Jason Ish lists at unx.ca
Tue Dec 29 20:33:29 UTC 2015

On Tue, Dec 29, 2015 at 2:20 PM, Andreas Moe <moe.andreas at gmail.com> wrote:
> When you say this output is a little differet from the packer, could you
> specify? For example would it give normalized and decoded (ex. GRE, http
> gzip payload), or tje raw "i matched on this packet" like unified records
> are.

Generally just more context, especially if the alert generating data
crosses packet boundaries.  I just find it more relevant to knowing
why the event was triggered.  I'm sure there are more details I'm
missing, but haven't looked into it.

Of course with eve.log you could log the packet as well, and send that
in an email as well. I just find the payload more relevant.

> tir. 29. des. 2015, 17:48 skrev Jason Ish <lists at unx.ca>:
>> On Mon, Dec 28, 2015 at 7:40 AM, Alan Wanderley dos Santos
>> <alan.santos at rnp.br> wrote:
>> > Hi all,
>> >
>> > I use a script to grab each event from fast.log. For each event, the
>> > script send a email with the event data (just the line from fast.log). How
>> > can i get packet data in human readable mode and send it in this same email?
>> > I try use pcap.log (and tcpdump for read it), but, there are not any kind of
>> > identification that i can connect an event with a specific packet data. I
>> > think use the time, but is not a effect way to do this(Can be 2 or N events
>> > in the same time). Other option is match every attribute from event to
>> > package data (ip_source, ip_dest, port_source, port_dest, protocol, time
>> > etc). But, i think that isan't the best way to do the job.
>> >
>> > Can you help-me guys?
>> I'd look at the eve.log instead of the fast.log. It gives you the
>> option to include the payload (a little different from the packet,
>> usually more useful) in a printable format.  Its also JSON, so
>> depending on what you are using for your script, it may be more useful
>> as well.
>> Jason
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net

More information about the Oisf-users mailing list