Project

General

Profile

Actions

Feature #1155

closed

Log packet payloads in eve alerts

Added by Matt Carothers about 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Log packet payloads and full packets in JSON alert output.

  • Payload should be printable strings and newlines only so it can be indexed by elasticsearch.
  • The full packet should be base64 encoded so it can be stored in an elasticsearch binary type. It won't be indexed, but it will be stored for retrieval and decoding.
  • This logging should be globally enabled or disabled in suricata.yaml
  • Keywords should be added to enable or disable packet or payload logging on a per-rule basis as well, as many rules trigger on binary data that makes no sense to store or index.

I've attached a patch that adds a "payload" field with the printable characters to all JSON alerts. I wasn't sure how to go about adding a new keyword to make it rule specific. Output looks like this:

{"timestamp":"2014-03-27T13:33:19.873516","event_type":"alert","src_ip":"10.0.0.1","src_port":53136,"dest_ip":"173.208.220.3","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7000110,"rev":1,"signature":"P2P Zeus HTTP Headers","category":"A Network Trojan was detected","severity":1},"payload":"GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: duxslfxxkvcvfacubifqkmzkf.org\r\nConnection: Close\r\n\r\n"}


Files

json-payload-patch.diff (2.66 KB) json-payload-patch.diff Matt Carothers, 03/27/2014 12:32 PM
json-payload-patch.diff (2.04 KB) json-payload-patch.diff Matt Carothers, 03/27/2014 01:08 PM
Actions

Also available in: Atom PDF