Using Suricata on on data parsed by other protocol parser

akibsayyed · August 25, 2020, 5:40pm

Respected Forum Members

I have custom protocol parsers which I am using to parse custom protocols. we get output as json from these parsers.

Now i want to use suricata to perform rules based analysis on this json. what all options i have to perform ids operation on this json data.

also while performing ids operation we need to consider previous packets as well more like a batch processing

Jeff_Lucovsky · August 26, 2020, 1:26pm

Hi Akib,

Thanks for the post.

Suricata is a network IDS/IPS/NSM and as such, processes network frames. Rules govern when alerts or other actions are to be taken.

You could use your JSON output and the rules to perform analysis without Suricata.

Topic		Replies	Views
Questions and answers from April 2021's Webinar: An introduction to writing Suricata Rules Rules webinar	3	370	April 22, 2021
Rule 2210008 - help interpreting results Rules	6	981	September 24, 2020
Suricata default rules Rules	3	2177	May 21, 2021
How to detect the restored http raw log with rule engine？ Help	2	348	March 11, 2021
Suricata rules & the proxy protocol Help	4	1190	May 31, 2021