Project

General

Profile

Actions

Feature #1380

open

JSON and Unified2 output "payload" does not contain full (or real in the case of Unified2) packets for session

Added by Kenneth Shelton almost 10 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Proposed solution

  • Optionally use pcapng format instead of pcap (compile-time, run-time?)
    • Extended Packet Block option field supports arbitrary option code (can get one assigned or use 1 in MSB to signify local) with TLV format for block
    • Use this to store flowid in every packet for a given flow
    • Will allow strong correlation of FULL session that triggered alert
    • Can reduce duplication of packet data for flows that trigger multiple alerts
  • libpcap only supports reading pcapng (not all fields)
  • NTAR (http://www.winpcap.org/ntar/) is a library that could be used to provide writing in the short-term
  • Can also write flowid in files metadata for file extraction to allow easy linkage back to flows (array to prevent duplicates)

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedNewOISF DevActions
Actions #1

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Jason Ish almost 3 years ago

  • Related to Bug #3480: EVE JSON - Incorrect Packet Logged added
Actions

Also available in: Atom PDF