[Oisf-users] Best way to GET packet content and sent it by email

Victor Julien lists at inliniac.net
Mon Jan 4 13:01:53 UTC 2016

On 04-01-16 13:58, Alan Wanderley dos Santos wrote:
> In fact, the alert.debug is very helpfull. There are a lot of good information there. But, i still have the same problem. I mean, there are no simple way to connect a event collected in fast.log with a event in alert-debug.log. I can change my script to parser alert-debug instead fast.log. I would not do that because there are a lot of other scripts using data from fast.log.
> I'm still searching a way. Maybe match atrributes from each processed event with the alert-debug.log. It is not elegant, either pratical.

In the eve output in 3.0 you can enable payload and packet logging as
part of the alert records.


> Regards,
> -----------------------------------------------
> Alan Santos
> Analista de Seguran├ža
> Centro de Atendimento a Incidentes de Seguran├ža (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
> ----- Mensagem original -----
> De: "Andreas Herz" <andi at geekosphere.org>
> Para: oisf-users at lists.openinfosecfoundation.org
> Enviadas: Segunda-feira, 28 de dezembro de 2015 18:41:53
> Assunto: Re: [Oisf-users] Best way to GET packet content and sent it by email
> Hi Alan,
> On 28/12/15 at 11:40, Alan Wanderley dos Santos wrote:
>> Hi all,
>> I use a script to grab each event from fast.log. For each event, the
>> script send a email with the event data (just the line from fast.log).
>> How can i get packet data in human readable mode and send it in this
>> same email? I try use pcap.log (and tcpdump for read it), but, there
>> are not any kind of identification that i can connect an event with a
>> specific packet data. I think use the time, but is not a effect way to
>> do this(Can be 2 or N events in the same time). Other option is match
>> every attribute from event to package data (ip_source, ip_dest,
>> port_source, port_dest, protocol, time etc). But, i think that isan't
>> the best way to do the job.
>> Can you help-me guys?
> You could try the alert-debug.log and see if that content (human
> readable) matches your need and also contains the relevant event infos.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list