Project

General

Profile

Actions

Feature #1155

closed

Log packet payloads in eve alerts

Added by Matt Carothers over 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Log packet payloads and full packets in JSON alert output.

  • Payload should be printable strings and newlines only so it can be indexed by elasticsearch.
  • The full packet should be base64 encoded so it can be stored in an elasticsearch binary type. It won't be indexed, but it will be stored for retrieval and decoding.
  • This logging should be globally enabled or disabled in suricata.yaml
  • Keywords should be added to enable or disable packet or payload logging on a per-rule basis as well, as many rules trigger on binary data that makes no sense to store or index.

I've attached a patch that adds a "payload" field with the printable characters to all JSON alerts. I wasn't sure how to go about adding a new keyword to make it rule specific. Output looks like this:

{"timestamp":"2014-03-27T13:33:19.873516","event_type":"alert","src_ip":"10.0.0.1","src_port":53136,"dest_ip":"173.208.220.3","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7000110,"rev":1,"signature":"P2P Zeus HTTP Headers","category":"A Network Trojan was detected","severity":1},"payload":"GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: duxslfxxkvcvfacubifqkmzkf.org\r\nConnection: Close\r\n\r\n"}


Files

json-payload-patch.diff (2.66 KB) json-payload-patch.diff Matt Carothers, 03/27/2014 12:32 PM
json-payload-patch.diff (2.04 KB) json-payload-patch.diff Matt Carothers, 03/27/2014 01:08 PM
Actions #1

Updated by Victor Julien over 8 years ago

Making logging depending on rules is a very different subject, and certainly non-trivial. As such, a separate ticket should be dealing with this (might even exist already, not sure).

Base64 for packet payloads would make sense I think.

Wrt the patch, would you mind submitting it through github as described in our contributing guide here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing

Actions #2

Updated by Matt Carothers over 8 years ago

Oops, wrong patch file. Let's try this again.

Actions #3

Updated by Matt Carothers over 8 years ago

Victor Julien wrote:

Making logging depending on rules is a very different subject, and certainly non-trivial. As such, a separate ticket should be dealing with this (might even exist already, not sure).

Base64 for packet payloads would make sense I think.

Wrt the patch, would you mind submitting it through github as described in our contributing guide here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing

Will do.

Actions #4

Updated by Victor Julien about 8 years ago

  • Status changed from New to Closed
  • Assignee set to Matt Carothers
  • Target version set to 3.0RC2
  • % Done changed from 0 to 100
Actions #5

Updated by Victor Julien about 8 years ago

  • Target version changed from 3.0RC2 to 2.1beta1
Actions

Also available in: Atom PDF