Alert Payload Questions

mhmarty · March 9, 2022, 8:02pm

Is there a way to control where the payload/payload_printable begins for an alert in eve.json?

Is the payload/payload_printable supposed to begin at the start of the TCP stream?

I thought that was the case but I recently ran into a situation where the payload_printable in eve.json began at packet 83 of a 166 packet session and DID NOT include the content that triggered the alert.

More generally, I’m asking because I want the payload to include the content that triggers an alert. This has proven difficult for large SMTP sessions like the one mentioned above (131k in this case).

Jeff_Lucovsky · March 10, 2022, 3:14pm

Hi,
Note that you can include the packet that triggered the alert or the payload. I don’t think there’s a way to indicate what range of the payload is printed. The packet may be what you’re after?

mhmarty · March 11, 2022, 6:49pm

Yes packet may be what I’m after. I’m running some tests with it now. Based on my reading I had convinced myself that packet only includes headers and no payload. I see now that is not the case. Thank you for the response.

Topic		Replies	Views
How to create pcap with packet:payload fields (eve.json) Help	7	1735	May 9, 2022
How to use tagged-packets Help	1	342	November 27, 2021
How to retrieve full session on basis of alert Help	1	376	February 22, 2022
What does the payload means in the ip-only rules? Rules rules	1	580	April 14, 2022
Alert packet doesn't match signature (stream vs no stream) Rules rules	1	383	January 28, 2022

Alert Payload Questions

Related Topics