[Oisf-users] Best way to GET packet content and sent it by email
Alan Wanderley dos Santos
alan.santos at rnp.br
Mon Jan 4 13:24:13 UTC 2016
Good to know. Unfortunately, i still using Suricata 2.0.6. We had a network with 27 sensors (working as IDS only). It is a very delicate environment, but we will update then as soon as possible. Until there, i have to find another way.
Regards,
-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br
----- Mensagem original -----
De: "Victor Julien" <lists at inliniac.net>
Para: oisf-users at lists.openinfosecfoundation.org
Enviadas: Segunda-feira, 4 de janeiro de 2016 11:01:53
Assunto: Re: [Oisf-users] Best way to GET packet content and sent it by email
On 04-01-16 13:58, Alan Wanderley dos Santos wrote:
> In fact, the alert.debug is very helpfull. There are a lot of good information there. But, i still have the same problem. I mean, there are no simple way to connect a event collected in fast.log with a event in alert-debug.log. I can change my script to parser alert-debug instead fast.log. I would not do that because there are a lot of other scripts using data from fast.log.
>
> I'm still searching a way. Maybe match atrributes from each processed event with the alert-debug.log. It is not elegant, either pratical.
In the eve output in 3.0 you can enable payload and packet logging as
part of the alert records.
Cheers,
Victor
> Regards,
>
> -----------------------------------------------
> Alan Santos
> Analista de Segurança
> Centro de Atendimento a Incidentes de Segurança (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
>
> ----- Mensagem original -----
> De: "Andreas Herz" <andi at geekosphere.org>
> Para: oisf-users at lists.openinfosecfoundation.org
> Enviadas: Segunda-feira, 28 de dezembro de 2015 18:41:53
> Assunto: Re: [Oisf-users] Best way to GET packet content and sent it by email
>
> Hi Alan,
>
> On 28/12/15 at 11:40, Alan Wanderley dos Santos wrote:
>> Hi all,
>>
>> I use a script to grab each event from fast.log. For each event, the
>> script send a email with the event data (just the line from fast.log).
>> How can i get packet data in human readable mode and send it in this
>> same email? I try use pcap.log (and tcpdump for read it), but, there
>> are not any kind of identification that i can connect an event with a
>> specific packet data. I think use the time, but is not a effect way to
>> do this(Can be 2 or N events in the same time). Other option is match
>> every attribute from event to package data (ip_source, ip_dest,
>> port_source, port_dest, protocol, time etc). But, i think that isan't
>> the best way to do the job.
>>
>> Can you help-me guys?
>
> You could try the alert-debug.log and see if that content (human
> readable) matches your need and also contains the relevant event infos.
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list