[Oisf-users] How to know which packets caused an alert?

Sascha Steinbiss satta at debian.org
Sat Feb 8 16:52:29 UTC 2020

Hi Lucas,

> I'm testing some rules and pcaps and I would like to know the exact packets which are causing alerts. Is there any way to do that?

When running rules on pcaps, the EVE-JSON output of the alert (event_type: alert) includes ‘pcap_cnt’ and ‘pcap_filename’ fields that reference the specific pcap file and the packet number of the packet that triggered the alert.

See https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-format.html#pcap-fields for more details.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200208/910bbc54/attachment.sig>

More information about the Oisf-users mailing list