[Oisf-users] Best way to GET packet content and sent it by email

Alan Wanderley dos Santos alan.santos at rnp.br
Mon Jan 4 12:58:13 UTC 2016 

Hi Andres,

In fact, the alert.debug is very helpfull. There are a lot of good information there. But, i still have the same problem. I mean, there are no simple way to connect a event collected in fast.log with a event in alert-debug.log. I can change my script to parser alert-debug instead fast.log. I would not do that because there are a lot of other scripts using data from fast.log.

I'm still searching a way. Maybe match atrributes from each processed event with the alert-debug.log. It is not elegant, either pratical.

Regards,

-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br

----- Mensagem original -----
De: "Andreas Herz" <andi at geekosphere.org>
Para: oisf-users at lists.openinfosecfoundation.org
Enviadas: Segunda-feira, 28 de dezembro de 2015 18:41:53
Assunto: Re: [Oisf-users] Best way to GET packet content and sent it by email

Hi Alan,

On 28/12/15 at 11:40, Alan Wanderley dos Santos wrote:
> Hi all,
> 
> I use a script to grab each event from fast.log. For each event, the
> script send a email with the event data (just the line from fast.log).
> How can i get packet data in human readable mode and send it in this
> same email? I try use pcap.log (and tcpdump for read it), but, there
> are not any kind of identification that i can connect an event with a
> specific packet data. I think use the time, but is not a effect way to
> do this(Can be 2 or N events in the same time). Other option is match
> every attribute from event to package data (ip_source, ip_dest,
> port_source, port_dest, protocol, time etc). But, i think that isan't
> the best way to do the job.
> 
> Can you help-me guys?

You could try the alert-debug.log and see if that content (human
readable) matches your need and also contains the relevant event infos.

-- 
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list