I’ve been working on a forensic mode for Suricata. This is a set of options that can be used to analyze data (mostly pcap files as it is really verbose) and get as much data as possible.
The first one adds an option to log all HTTP headers in alert. As the alert is sometime on specific headers value, getting the all HTTP headers view in alert will help the analyst to understand the events.
The second feature adds HTTP body logging in HTTP events. This can be useful for forensic usage of Suricata.
The third feature adds stream data or payload logging to all NSM events. It is aiming at providing complete data for forensic study or for signature writers.
The output for an HTTP event looks like:
"stream": {
"server": {
"payload": "SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDIyIE1hciAyMDE3IDA5OjExOjIyIEdNVA0KU2VydmVyOiBBcGFjaGUvMi40LjI1IChXaW4zMikgT3BlblNTTC8xLjAuMmogUEhQLzUuNi4zMA0KWC1Qb3dlcmVkLUJ5OiBQSFAvNS42LjMwDQpDb250ZW50LUxlbmd0aDogMjQ0DQpLZWVwLUFsaXZlOiB0aW1lb3V0PTUsIG1heD0xMDANCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PVVURi04DQoNCjxiciAvPgo8Yj5Ob3RpY2U8L2I+OiAgVW5kZWZpbmVkIGluZGV4OiB2cyBpbiA8Yj5DOlx4YW1wcFxodGRvY3NcVG9ueV9TdGFyazJccG9zdC5waHA8L2I+IG9uIGxpbmUgPGI+MTE8L2I+PGJyIC8+CjxiciAvPgo8Yj5Ob3RpY2U8L2I+OiAgVW5kZWZpbmVkIHZhcmlhYmxlOiBzdWNjZXNzT1VkYW5nZXIgaW4gPGI+QzpceGFtcHBcaHRkb2NzXFRvbnlfU3RhcmsyXHBvc3QucGhwPC9iPiBvbiBsaW5lIDxiPjQ3PC9iPjxiciAvPgo=",
"payload_printable": "HTTP/1.1 200 OK\r\nDate: Wed, 22 Mar 2017 09:11:22 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nContent-Length: 244\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<br />\n<b>Notice</b>: Undefined index: vs in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>11</b><br />\n<br />\n<b>Notice</b>: Undefined variable: successOUdanger in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>47</b><br />\n"
},
"client": {
"payload": "cGx1Z2luPVNlbStQbHVnaW4md2luZG93cz1XaW5kb3dzKzcrRW50ZXJwcmlzZSZ1c2VyPUFQSUFSWTctUEMmYXY9Tm8rQW50aXZpcnVzJmJzPU1pY3Jvc29mdCtFZGdl",
"payload_printable": "plugin=Sem+Plugin&windows=Windows+7+Enterprise&user=APIARY7-PC&av=No+Antivirus&bs=Microsoft+Edge"
}
},
"http": {
"hostname": "contador.visitante-group-new.cf",
"http_port": 8080,
"url": "/Tony_Stark2/post.php",
"http_user_agent": "Mozilla/3.0 (compatible; Indy Library)",
"http_content_type": "text/html",
"http_method": "POST",
"protocol": "HTTP/1.0",
"status": 200,
"length": 244,
"request_body": "cGx1Z2luPVNlbStQbHVnaW4md2luZG93cz1XaW5kb3dzKzcrRW50ZXJwcmlzZSZ1c2VyPUFQSUFSWTctUEMmYXY9Tm8rQW50aXZpcnVzJmJzPU1pY3Jvc29mdCtFZGdl",
"response_body": "PGJyIC8+CjxiPk5vdGljZTwvYj46ICBVbmRlZmluZWQgaW5kZXg6IHZzIGluIDxiPkM6XHhhbXBwXGh0ZG9jc1xUb255X1N0YXJrMlxwb3N0LnBocDwvYj4gb24gbGluZSA8Yj4xMTwvYj48YnIgLz4KPGJyIC8+CjxiPk5vdGljZTwvYj46ICBVbmRlZmluZWQgdmFyaWFibGU6IHN1Y2Nlc3NPVWRhbmdlciBpbiA8Yj5DOlx4YW1wcFxodGRvY3NcVG9ueV9TdGFyazJccG9zdC5waHA8L2I+IG9uIGxpbmUgPGI+NDc8L2I+PGJyIC8+Cg==",
"request_body_printable": "plugin=Sem+Plugin&windows=Windows+7+Enterprise&user=APIARY7-PC&av=No+Antivirus&bs=Microsoft+Edge",
"response_body_printable": "<br />\n<b>Notice</b>: Undefined index: vs in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>11</b><br />\n<br />\n<b>Notice</b>: Undefined variable: successOUdanger in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>47</b><br />\n"
}
}
For a protocol without stream like DNS we have:
{
"timestamp": "2016-10-15T08:58:37.457573+0200",
"flow_id": 1166971934473061,
"pcap_cnt": 4103,
"event_type": "dns",
"proto": "UDP",
"payload": "Fw8BAAABAAAAAAAAA3d3dwVkaXZhcgJpcgAAAQAB",
"payload_printable": ".............www.divar.ir.....",
"dns": {
"type": "query",
"id": 5903,
"rrname": "www.divar.ir",
"rrtype": "A",
"tx_id": 0
}
}
The Pull Request is here: RFC: Forensic mode v1.2 by regit · Pull Request #4543 · OISF/suricata · GitHub
Feel free to comment and add suggestions.