[Oisf-users] parsing eve alert payload
Andreas Moe
moe.andreas at gmail.com
Thu Apr 14 05:33:53 UTC 2016
Ah, thanks that helps alot. I see thar in the eve2pcap there is an option
for chosing to use / convert the payload rather than the packet. Any
reasons why one would want the one form of output over the othet (seems
abir disk wasting to output both, if packet is a superset of payload)
Den ons. 13. apr. 2016, 23:45 skrev Jason Ish <lists at unx.ca>:
> On Wed, Apr 13, 2016 at 11:40 AM, Andreas Moe <moe.andreas at gmail.com>
> wrote:
> > hi there. im looking a bit into parsing eve alert payload, to be able to
> > output the data to pcap format. im seeing that the payload data does not
> > contain any tcp/ip/eth headers, is there any way to alter this? and a
> second
> > question, anyone know of previous work done on handeling the payload
> data in
> > eve alert logs?
>
> My python idstools package has a tool, eve2pcap, that can convert the
> packet or the payload to a pcap. Payload conversion requires scapy.
>
>
> https://github.com/jasonish/py-idstools/blob/master/idstools/scripts/eve2pcap.py
>
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160414/4eb04edb/attachment-0002.html>
More information about the Oisf-users
mailing list