[Oisf-users] Relating packets to alerts

jt jtfas90 at gmail.com
Fri Mar 29 16:48:51 UTC 2019


On Fri, 2019-03-29 at 14:27 +0100, Peter Manev wrote:
> On Thu, Mar 28, 2019 at 6:58 PM Luis Escamilla <
> luis at cyberopsec.com.mx> wrote:
> > I would like to create a pcap file of the flow that fired the alert
> > from the tagged packets, but I'm having trouble identifying which
> > packets correspond to a certain alert
> > 
I am not sure there is a 100% native way to do what you are looking
for. The two options that come immediately to mind are:

1. use suricata to capture/write pcap but that will write pcap for more
than just the alert. while this isn't exactly what you are looking for
it does give you pcap files ready for ingestion with
tshark/wireshark/tcpdump/etc.

2. for just alert related packets data, you can add payload/packet to
the eve log alert data. This will add the base64 encoded packet
information to the eve alert data. this method would require an
external mechanism to decode/create the pcap file though.

There may be other options that are not coming to mind at the moment
though and hopefully someone else will chime in with other options.

JT
> It is normal/ok for a single flow to generate multiple records or
> alerts - not just one.
> 
> 
> > On 3/28/19, 7:34 AM, "jt" <jtfas90 at gmail.com> wrote:
> > 
> >     Are you looking for the specific packet number in a given flow
> > that
> >     fired an alert(s)?
> > 
> >     JT
> > 
> >     On Wed, 2019-03-27 at 20:27 +0000, Luis Escamilla wrote:
> >     > Is it possible to identify in an eve log which of the tagged
> > packets
> >     > correspond to certain alert? I have been doing it by flow id,
> > but
> >     > many times, the flow id is related to multiple alerts
> >     > _______________________________________________
> >     > Suricata IDS Users mailing list: 
> > oisf-users at openinfosecfoundation.org
> >     > Site: http://suricata-ids.org | Support:
> >     > http://suricata-ids.org/support/
> >     > List:
> >     > 
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >     >
> >     > Conference: https://suricon.net
> >     > Trainings: https://suricata-ids.org/training/
> > 
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: 
> > oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: 
> > http://suricata-ids.org/support/
> > List: 
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > 
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> 
> 



More information about the Oisf-users mailing list