I run Suricata in user mode to read a Pcap file to scan for alerts. I want to find out the Pcap packets that trigger an alert. I search Suricata documents to find out how, but could not find out anything.
I will appreciate if someone can let me know how to find out the packets that trigger an alert.
In your eve.json file, the is a file called
pcap_cnt that field relates to the packet number, if you open your pcap in Wireshark.
That said, depending on when the parser considers the transaction completed, sometimes there may be some delay with regards to when the alert was really triggered and when it shows up in the logs. If you find out that the
pcap_cnt doesn’t reflect what you would expect from the packet capture, you may try checking the
timestamp, I’d say…
Hope that answers your question!
Hi Ju, Thanks for the info. I will try this out.