Alert Payload Questions

mhmarty · March 9, 2022, 8:02pm

Is there a way to control where the payload/payload_printable begins for an alert in eve.json?

Is the payload/payload_printable supposed to begin at the start of the TCP stream?

I thought that was the case but I recently ran into a situation where the payload_printable in eve.json began at packet 83 of a 166 packet session and DID NOT include the content that triggered the alert.

More generally, I’m asking because I want the payload to include the content that triggers an alert. This has proven difficult for large SMTP sessions like the one mentioned above (131k in this case).

Jeff_Lucovsky · March 10, 2022, 3:14pm

Hi,
Note that you can include the packet that triggered the alert or the payload. I don’t think there’s a way to indicate what range of the payload is printed. The packet may be what you’re after?

mhmarty · March 11, 2022, 6:49pm

Yes packet may be what I’m after. I’m running some tests with it now. Based on my reading I had convinced myself that packet only includes headers and no payload. I see now that is not the case. Thank you for the response.

Topic		Replies	Views
In case of alert event type, what packet and payload fields contain? Help	4	1332	October 15, 2021
Some log events have empty payload and payload_printable Help	1	1200	July 27, 2021
Is there a way to remove the payload data in Alert-Debug.log? Help	1	462	June 12, 2020
Missing event data from Eve log Help	5	986	October 1, 2020
Suricata 6.0.0 not displaying payload and http-body fields in alerts Help	2	1258	January 18, 2021

Alert Payload Questions

Related topics