How to get the IP version (IPV4 vs IPV6) of an alert using eve.json

travisn · July 7, 2021, 12:58am

Hi,

I was looking through suricata.yaml’s documentation, but could not find a way to get this value. Would I have to parse the base64 string value in the “packet” field of an alert to do this or is there a more convenient way to retrieve this value?

Thanks!

Jeff_Lucovsky · July 7, 2021, 1:09pm

Hi,
You could infer IPv4 vs IPv6 from the IP addresses.

travisn · July 7, 2021, 2:08pm

Ahh. That’s a good idea. Can’t believe I didn’t think of it. Thanks, Jeff.