shell_xu
(shell xu)
1
I tried to set tagged-packets: yes
how to parse packet field? Can it be read by WireShark?
suricata.yaml
# enable
tagged-packets: yes
rules add tag:session,300,seconds
alert http any any -> any any (msg:"real seconds rules - httpbin "; flow:to_server,established; http.method; content:"GET"; nocase; http.host; content:"httpbin.org"; tag: session, 30, seconds; classtype:attempted-recon; sid:3020094; rev:1; metadata:created_at 2021_03_01, auther Canon;)
eve.json
{
"timestamp": "2021-03-01T19:05:19.117410+0800",
"flow_id": 1115457942532326,
"in_iface": "ens224",
"event_type": "packet",
"src_ip": "192.168.199.10",
"src_port": 52022,
"dest_ip": "54.166.163.67",
"dest_port": 80,
"proto": "TCP",
"packet": "1O4HPuOxAAwpvV8vCABFAAA0nlJAAEAGOtXAqMcKNqajQ8s2AFDQ4y/uI+GDcYAQAfXuMQAAAQEICi5U14AHNqRD",
"packet_info": {
"linktype": 1
}
}
1 Like
vjulien
(Victor Julien)
2
The packet field contains the raw packet data (including headers) encoded as base64. So you can decode it to inspect it further:
cat /tmp/eve.json | jq -r .packet|base64 -d|hexdump -C
00000000 d4 ee 07 3e e3 b1 00 0c 29 bd 5f 2f 08 00 45 00 |...>....)._/..E.|
00000010 00 34 9e 52 40 00 40 06 3a d5 c0 a8 c7 0a 36 a6 |.4.R@.@.:.....6.|
00000020 a3 43 cb 36 00 50 d0 e3 2f ee 23 e1 83 71 80 10 |.C.6.P../.#..q..|
00000030 01 f5 ee 31 00 00 01 01 08 0a 2e 54 d7 80 07 36 |...1.......T...6|
00000040 a4 43 |.C|
00000042
Not super interesting in this case I think 
1 Like
shell_xu
(shell xu)
3
thank you!
one question again:
Does it parse the same content as the payload_printable field?
vjulien
(Victor Julien)
4
The payload fields contain only the packet payloads. The packet field also includes headers like ethernet, IP and any other that may be present.
1 Like
