Raw packets when detected?

Can I get raw packets when detected?

  • Packets containing patterns

I want to use it in the following cases.

  • When checking whether it was detected normally according to the pattern,
  • When I want to correct the pattern by checking False Positive

Please let me know if there is a recommendation.

As in matching a pattern in a TCP or UDP payload? Or having a generic pattern for the packet headers?
Perhaps you could try giving an example of what you want to accomplish.

I can create a detection rule using headers, or a detection rule using content, so I want an entire packet(header + payload).

From a different point of my question,

  1. Can I get only the header(of packet) or only the content(of packet) when it is detected?
  2. Can a detection event trigger a raw packet capturing?

Suricata will send some of the playload as part of the eve json log for the alert.
But it sounds to me like you want full packet capture of just the packets or sessions triggering a Suricata alert.

One way to do that could be post processing of the eve.json and using a secondary tool like stenographer to do the actual packet capturing.

1 Like

Thanks, but I just want to get the packets used to detect.
Packet logging seems to be a big feature.

I want to know what (raw) packet was used when attacking, and I will use it to check if the pattern is properly created.