Project

General

Profile

Actions
Copy link

Feature #1380

open

JSON and Unified2 output "payload" does not contain full (or real in the case of Unified2) packets for session

Added by Kenneth Shelton over 9 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Proposed solution

  • Optionally use pcapng format instead of pcap (compile-time, run-time?)
    • Extended Packet Block option field supports arbitrary option code (can get one assigned or use 1 in MSB to signify local) with TLV format for block
    • Use this to store flowid in every packet for a given flow
    • Will allow strong correlation of FULL session that triggered alert
    • Can reduce duplication of packet data for flows that trigger multiple alerts
  • libpcap only supports reading pcapng (not all fields)
  • NTAR (http://www.winpcap.org/ntar/) is a library that could be used to provide writing in the short-term
  • Can also write flowid in files metadata for file extraction to allow easy linkage back to flows (array to prevent duplicates)

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedNewOISF DevActions
Actions
Copy link
 #1

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Jason Ish over 2 years ago

  • Related to Bug #3480: EVE JSON - Incorrect Packet Logged added
Actions
Copy link

Also available in: Atom PDF