[Oisf-users] parsing eve alert payload
Jason Ish
lists at unx.ca
Wed Apr 13 21:45:30 UTC 2016
On Wed, Apr 13, 2016 at 11:40 AM, Andreas Moe <moe.andreas at gmail.com> wrote:
> hi there. im looking a bit into parsing eve alert payload, to be able to
> output the data to pcap format. im seeing that the payload data does not
> contain any tcp/ip/eth headers, is there any way to alter this? and a second
> question, anyone know of previous work done on handeling the payload data in
> eve alert logs?
My python idstools package has a tool, eve2pcap, that can convert the
packet or the payload to a pcap. Payload conversion requires scapy.
https://github.com/jasonish/py-idstools/blob/master/idstools/scripts/eve2pcap.py
Jason
More information about the Oisf-users
mailing list