[Oisf-users] Extracting Packet Header + Payload

[Korodev]

Hi all,

As we transition from unified2 to eve logs, I'm having trouble
extracting the hex dump of the full packet that tripped an alert.
Based on the documentation, it looks like I'd need to enable packet
(header) and payload logging, decode them, and put them together.

We're currently testing w/ Suricata 4.1 Beta and have some basic test
signatures to catch GET requests to specific domains. However, I'm
seeing some odd behaviour where the "packet" field is logging the
header information for a different packet in the stream. For example
in the alert event JSON, my payload field contains the expected
encoded GET request, but the the "packet" field contains the encoded
packet header for a different packet in the stream, which means
certain properties like the TCP flags and packet size are incorrect.

1. Is this expected behaviour?
2. Is there a better way to extract/log the full packet that tripped an alert?
3. Is there an easy way to extract packet header properties (e.g TCP
flags, packet size)?

My eve output config looks like this:

<snip>
- eve-log
  enabled: yes
  filetype: regular
  filename: eve.json
  pcap-file: false
  types:
    - alert:
        payload: yes
        packet: yes
        tagged-packets: yes
</snip>

Let me know if you need any more details. Thanks all!

\\korodev