Raw packets when detected?

shyang · June 1, 2020, 10:55am

Can I get raw packets when detected?

Packets containing patterns

I want to use it in the following cases.

When checking whether it was detected normally according to the pattern,
When I want to correct the pattern by checking False Positive

Please let me know if there is a recommendation.

syoc · June 2, 2020, 7:08am

As in matching a pattern in a TCP or UDP payload? Or having a generic pattern for the packet headers?
Perhaps you could try giving an example of what you want to accomplish.

shyang · June 2, 2020, 1:35pm

I can create a detection rule using headers, or a detection rule using content, so I want an entire packet(header + payload).

From a different point of my question,

Can I get only the header(of packet) or only the content(of packet) when it is detected?
Can a detection event trigger a raw packet capturing?

syoc · June 10, 2020, 10:24am

Suricata will send some of the playload as part of the eve json log for the alert.
But it sounds to me like you want full packet capture of just the packets or sessions triggering a Suricata alert.

One way to do that could be post processing of the eve.json and using a secondary tool like stenographer to do the actual packet capturing.

shyang · June 23, 2020, 2:42am

Thanks, but I just want to get the packets used to detect.
Packet logging seems to be a big feature.

I want to know what (raw) packet was used when attacking, and I will use it to check if the pattern is properly created.

Topic		Replies	Views
Some log events have empty payload and payload_printable Help	1	1228	July 27, 2021
In case of alert event type, what packet and payload fields contain? Help	4	1367	October 15, 2021
How to find out which packets triggering the alert Help	2	1037	December 13, 2021
"pcap_cnt" is not accurate on TCP streams Help suricata	2	461	January 26, 2023
When capturing http traffic, the entire subsequent stream is lost Help	2	377	July 28, 2022

Raw packets when detected?

Related topics