Enrichment for Application layer protocol related events

Rules
1

Hello guys,
I am new to Suricata. I figured that Suricata is able to log protocol related events into eve.json.
It looks good but my question is if there can be more detailed information within the request/response added into the event-log just like the detailed info we can see from wireshark?
How i can do it? Do i have to modify the source-code?

Thank you guys in advance!

Take SMB event-log generated by Suricata for example:
{“timestamp”:“2021-08-03T11:30:25.373358+0800”,“flow_id”:461024881902790,“in_iface”:“eno1”,“event_type”:“smb”,“src_ip”:“192.168.56.10”,“src_port”:49257,“dest_ip”:“192.168.56.20”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:4,“dialect”:“NT LM 0.12”,“command”:“SMB1_COMMAND_NT_TRANS”,“status”:“STATUS_SUCCESS”,“status_code”:“0x0”,“session_id”:2048,“tree_id”:2048}}

Screenshot for wireshark, there’re some arguments i really need to put into the log as above:

image
image792×585 17.9 KB

2

Hi @xifeng !
Welcome to our forum. :slight_smile:

It looks good but my question is if there can be more detailed information within the request/response added into the event-log just like the detailed info we can see from wireshark?

For different protocols, you can have different settings that can give you much more in logs than there is by default in eve.json. For example: With TLS, you can enable a lot more in the logs than is already there by uncommenting the required fields in suricata.yaml. You may also need to enable certain settings (also in suricata.yaml) before you can see them in the logs.
However, for the particular case that you mention (SMB), I do not see any setting like that in suricata.yaml. So, I think you will have to add the fields you want in the code for them to show up in eve.json. Please note that we already parse a lot of relevant info from a certain protocol header so you might only need to update the logger file and not the protocol parser e.g. for SMB, you can find it here.

I would strongly recommend to ask in another post if the fields you are trying to add would be relevant to most of our users and if they should be logged by default.

Let me know if you need any further help.
Happy coding! :slight_smile:

3

That’s really helpful and really appreciate for your timely reply.
Will check the link you provided!