How to get the IP version (IPV4 vs IPV6) of an alert using eve.json


I was looking through suricata.yaml’s documentation, but could not find a way to get this value. Would I have to parse the base64 string value in the “packet” field of an alert to do this or is there a more convenient way to retrieve this value?


You could infer IPv4 vs IPv6 from the IP addresses.

1 Like

Ahh. That’s a good idea. Can’t believe I didn’t think of it. Thanks, Jeff.