Feature #1155
closedLog packet payloads in eve alerts
Description
Log packet payloads and full packets in JSON alert output.
- Payload should be printable strings and newlines only so it can be indexed by elasticsearch.
- The full packet should be base64 encoded so it can be stored in an elasticsearch binary type. It won't be indexed, but it will be stored for retrieval and decoding.
- This logging should be globally enabled or disabled in suricata.yaml
- Keywords should be added to enable or disable packet or payload logging on a per-rule basis as well, as many rules trigger on binary data that makes no sense to store or index.
I've attached a patch that adds a "payload" field with the printable characters to all JSON alerts. I wasn't sure how to go about adding a new keyword to make it rule specific. Output looks like this:
{"timestamp":"2014-03-27T13:33:19.873516","event_type":"alert","src_ip":"10.0.0.1","src_port":53136,"dest_ip":"173.208.220.3","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7000110,"rev":1,"signature":"P2P Zeus HTTP Headers","category":"A Network Trojan was detected","severity":1},"payload":"GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: duxslfxxkvcvfacubifqkmzkf.org\r\nConnection: Close\r\n\r\n"}
Files
Updated by Victor Julien almost 11 years ago
Making logging depending on rules is a very different subject, and certainly non-trivial. As such, a separate ticket should be dealing with this (might even exist already, not sure).
Base64 for packet payloads would make sense I think.
Wrt the patch, would you mind submitting it through github as described in our contributing guide here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
Updated by Matt Carothers almost 11 years ago
- File json-payload-patch.diff json-payload-patch.diff added
Oops, wrong patch file. Let's try this again.
Updated by Matt Carothers almost 11 years ago
Victor Julien wrote:
Making logging depending on rules is a very different subject, and certainly non-trivial. As such, a separate ticket should be dealing with this (might even exist already, not sure).
Base64 for packet payloads would make sense I think.
Wrt the patch, would you mind submitting it through github as described in our contributing guide here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
Will do.
Updated by Victor Julien over 10 years ago
- Status changed from New to Closed
- Assignee set to Matt Carothers
- Target version set to 3.0RC2
- % Done changed from 0 to 100
Same issue as https://redmine.openinfosecfoundation.org/issues/1208, which is fixed.
Updated by Victor Julien over 10 years ago
- Target version changed from 3.0RC2 to 2.1beta1