Feature #1155
closedLog packet payloads in eve alerts
Description
Log packet payloads and full packets in JSON alert output.
- Payload should be printable strings and newlines only so it can be indexed by elasticsearch.
- The full packet should be base64 encoded so it can be stored in an elasticsearch binary type. It won't be indexed, but it will be stored for retrieval and decoding.
- This logging should be globally enabled or disabled in suricata.yaml
- Keywords should be added to enable or disable packet or payload logging on a per-rule basis as well, as many rules trigger on binary data that makes no sense to store or index.
I've attached a patch that adds a "payload" field with the printable characters to all JSON alerts. I wasn't sure how to go about adding a new keyword to make it rule specific. Output looks like this:
{"timestamp":"2014-03-27T13:33:19.873516","event_type":"alert","src_ip":"10.0.0.1","src_port":53136,"dest_ip":"173.208.220.3","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7000110,"rev":1,"signature":"P2P Zeus HTTP Headers","category":"A Network Trojan was detected","severity":1},"payload":"GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: duxslfxxkvcvfacubifqkmzkf.org\r\nConnection: Close\r\n\r\n"}
Files