[Oisf-users] Best way to GET packet content and sent it by email

Peter Manev petermanev at gmail.com
Wed Dec 30 08:42:08 UTC 2015 

On Tue, 2015-12-29 at 14:33 -0600, Jason Ish wrote:
> On Tue, Dec 29, 2015 at 2:20 PM, Andreas Moe <moe.andreas at gmail.com> wrote:
> > When you say this output is a little differet from the packer, could you
> > specify? For example would it give normalized and decoded (ex. GRE, http
> > gzip payload), or tje raw "i matched on this packet" like unified records
> > are.
> 
> Generally just more context, especially if the alert generating data
> crosses packet boundaries.  I just find it more relevant to knowing
> why the event was triggered.  I'm sure there are more details I'm
> missing, but haven't looked into it.
> 
> Of course with eve.log you could log the packet as well, and send that
> in an email as well. I just find the payload more relevant.
> 
> >
> >
> > tir. 29. des. 2015, 17:48 skrev Jason Ish <lists at unx.ca>:
> >>
> >> On Mon, Dec 28, 2015 at 7:40 AM, Alan Wanderley dos Santos
> >> <alan.santos at rnp.br> wrote:
> >> > Hi all,
> >> >
> >> > I use a script to grab each event from fast.log. For each event, the
> >> > script send a email with the event data (just the line from fast.log). How
> >> > can i get packet data in human readable mode and send it in this same email?

This could be really dangerous  - what if you receive 5000 alerts within
a few seconds ? The way you explain your set up - it would mean that you
will send 5000 e-mails? (you or your organization might get black listed
that way)

> >> > I try use pcap.log (and tcpdump for read it), but, there are not any kind of
> >> > identification that i can connect an event with a specific packet data. I
> >> > think use the time, but is not a effect way to do this(Can be 2 or N events
> >> > in the same time). Other option is match every attribute from event to
> >> > package data (ip_source, ip_dest, port_source, port_dest, protocol, time
> >> > etc). But, i think that isan't the best way to do the job.
> >> >
> >> > Can you help-me guys?
> >>
> >> I'd look at the eve.log instead of the fast.log. It gives you the
> >> option to include the payload (a little different from the packet,
> >> usually more useful) in a printable format.  Its also JSON, so
> >> depending on what you are using for your script, it may be more useful
> >> as well.
> >>
> >> Jason
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 4 & 5 in Barcelona:
> >> http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list