Raw packets when detected?

shyang · June 1, 2020, 10:55am

Can I get raw packets when detected?

Packets containing patterns

I want to use it in the following cases.

When checking whether it was detected normally according to the pattern,
When I want to correct the pattern by checking False Positive

Please let me know if there is a recommendation.

syoc · June 2, 2020, 7:08am

As in matching a pattern in a TCP or UDP payload? Or having a generic pattern for the packet headers?
Perhaps you could try giving an example of what you want to accomplish.

shyang · June 2, 2020, 1:35pm

I can create a detection rule using headers, or a detection rule using content, so I want an entire packet(header + payload).

From a different point of my question,

Can I get only the header(of packet) or only the content(of packet) when it is detected?
Can a detection event trigger a raw packet capturing?

syoc · June 10, 2020, 10:24am

Suricata will send some of the playload as part of the eve json log for the alert.
But it sounds to me like you want full packet capture of just the packets or sessions triggering a Suricata alert.

One way to do that could be post processing of the eve.json and using a secondary tool like stenographer to do the actual packet capturing.

shyang · June 23, 2020, 2:42am

Thanks, but I just want to get the packets used to detect.
Packet logging seems to be a big feature.

I want to know what (raw) packet was used when attacking, and I will use it to check if the pattern is properly created.

Topic		Replies	Views
How to find out which packets triggering the alert Help	2	893	December 13, 2021
"pcap_cnt" is not accurate on TCP streams Help suricata	2	339	January 26, 2023
Surcata5.0.2 When rules match，log file have no information Help	2	760	April 23, 2020
Http traffic is not detected after updating to Suricata 7 Help	17	361	February 13, 2024
Alert based on custom http header with suricata rule Rules aws-network-firewall	3	712	June 26, 2023

Raw packets when detected?

Related Topics