[Oisf-users] parsing eve alert payload

Eric Leblond eric at regit.org
Fri Apr 15 08:15:09 UTC 2016


Hi,

On ven., 2016-04-15 at 09:58 +0200, Andreas Moe wrote:
> Looking at the code (output-json-alert.c, line 326++) i see that if
> the packet option is enabled, the entire packet should be outputed.
> But some times i see that the payload (in the eve.json log) is much
> larger than the packet field. Something im not interpreting correctly
> here?

You have multiple fields:
- payload: it is the pieces of reconstructed stream that trigger the
alert, so it can be big
- packet: it's the content of the datagram that did trigger the alert.
It can be or the packet with bad content or in case of an alert on
stream the packet acking data that did trigger an alert

++

> 
> 2016-04-14 7:33 GMT+02:00 Andreas Moe <moe.andreas at gmail.com>:
> > Ah, thanks that helps alot. I see thar in the eve2pcap there is an
> > option for chosing to use / convert the payload rather than the
> > packet. Any reasons why one would want the one form of output over
> > the othet (seems abir disk wasting to output both, if packet is a
> > superset of payload)
> > 
> > Den ons. 13. apr. 2016, 23:45 skrev Jason Ish <lists at unx.ca>:
> > > On Wed, Apr 13, 2016 at 11:40 AM, Andreas Moe <moe.andreas at gmail.
> > > com> wrote:
> > > > hi there. im looking a bit into parsing eve alert payload, to
> > > be able to
> > > > output the data to pcap format. im seeing that the payload data
> > > does not
> > > > contain any tcp/ip/eth headers, is there any way to alter this?
> > > and a second
> > > > question, anyone know of previous work done on handeling the
> > > payload data in
> > > > eve alert logs?
> > > 
> > > My python idstools package has a tool, eve2pcap, that can convert
> > > the
> > > packet or the payload to a pcap.  Payload conversion requires
> > > scapy.
> > > 
> > > https://github.com/jasonish/py-idstools/blob/master/idstools/scri
> > > pts/eve2pcap.py
> > > 
> > > Jason
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation
> > > .org
> > > Site: http://suricata-ids.org | Support: http://suricata-
> > > ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oi
> > > sf-users
> > > Suricata User Conference November 9-11 in Washington, DC: http://
> > > oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/





More information about the Oisf-users mailing list