[Oisf-users] parsing eve alert payload

[Andreas Moe]

Looking at the code (output-json-alert.c, line 326++) i see that if the
packet option is enabled, the entire packet should be outputed. But some
times i see that the payload (in the eve.json log) is much larger than the
packet field. Something im not interpreting correctly here?

2016-04-14 7:33 GMT+02:00 Andreas Moe <moe.andreas at gmail.com>:

> Ah, thanks that helps alot. I see thar in the eve2pcap there is an option
> for chosing to use / convert the payload rather than the packet. Any
> reasons why one would want the one form of output over the othet (seems
> abir disk wasting to output both, if packet is a superset of payload)
>
> Den ons. 13. apr. 2016, 23:45 skrev Jason Ish <lists at unx.ca>:
>
>> On Wed, Apr 13, 2016 at 11:40 AM, Andreas Moe <moe.andreas at gmail.com>
>> wrote:
>> > hi there. im looking a bit into parsing eve alert payload, to be able to
>> > output the data to pcap format. im seeing that the payload data does not
>> > contain any tcp/ip/eth headers, is there any way to alter this? and a
>> second
>> > question, anyone know of previous work done on handeling the payload
>> data in
>> > eve alert logs?
>>
>> My python idstools package has a tool, eve2pcap, that can convert the
>> packet or the payload to a pcap.  Payload conversion requires scapy.
>>
>>
>> https://github.com/jasonish/py-idstools/blob/master/idstools/scripts/eve2pcap.py
>>
>> Jason
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160415/008149e4/attachment-0002.html>