[Oisf-users] parsing eve alert payload

Jason Ish lists at unx.ca
Wed Apr 13 21:45:30 UTC 2016

On Wed, Apr 13, 2016 at 11:40 AM, Andreas Moe <moe.andreas at gmail.com> wrote:
> hi there. im looking a bit into parsing eve alert payload, to be able to
> output the data to pcap format. im seeing that the payload data does not
> contain any tcp/ip/eth headers, is there any way to alter this? and a second
> question, anyone know of previous work done on handeling the payload data in
> eve alert logs?

My python idstools package has a tool, eve2pcap, that can convert the
packet or the payload to a pcap.  Payload conversion requires scapy.



More information about the Oisf-users mailing list