OPNsense Forum

English Forums => General Discussion => Topic started by: nycaleksey on October 31, 2017, 03:22:38 pm

Title: packet captures in Suricata
Post by: nycaleksey on October 31, 2017, 03:22:38 pm
Hi,

Does anyone know if it is possible to have Suricata configured to save the packets that generated every alert?

Quite often the alert itself does not have enough information to investigate the events, and being able to analyze the captures would be really helpful.

Thank you,

Aleksey
Title: Re: packet captures in Suricata
Post by: guillaume.u on November 02, 2017, 04:14:32 pm
Hello,

+1, I have the same question :)

Thanks,

Guillaume.
Title: Re: packet captures in Suricata
Post by: mimugmail on November 02, 2017, 07:00:17 pm
It's not possible since it would has to write ALL packets to disc to save the capture. You can only search for the Eule to see why it was hitten
Title: Re: packet captures in Suricata
Post by: guillaume.u on November 02, 2017, 07:34:16 pm
Hello Mimugmail,

It's not for ALL packets but only for packets which triggers alerts.

Snort do/did it with BASE front end and it was very usefull.
Title: Re: packet captures in Suricata
Post by: mimugmail on November 03, 2017, 05:40:10 am
So then it would be better to ask in the Suricata mailing list for a feature like that.
Title: Re: packet captures in Suricata
Post by: guillaume.u on November 03, 2017, 09:30:13 am
In fact, it exists in suricata by adding, in suricata.yaml :
Code: [Select]
  - eve-log:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            packet: yes
It dumps packet in eve.json but I think it's not possible to view it via the UI, only via SSH.

Thanks again.

Guillaume.

Edit : I opened a feature request https://github.com/opnsense/core/issues/1911
Title: Re: packet captures in Suricata
Post by: guillaume.u on November 03, 2017, 07:11:01 pm
As an ugly hack, you can :

* Enable the payload in eve-log (see above).

* Edit and add : /usr/local/opnsense/mvc/app/controllers/OPNsense/IDS/forms/dialogAlert.xml
Code: [Select]
    <field>                                                                     
        <id>payload_printable</id>                                             
        <label>Payload</label>                                                 
        <type>info</type>                                                       
    </field>
* Edit : /usr/local/opnsense/mvc/app/views/OPNsense/IDS/index.volt (to add the payload entry)
Code: [Select]
                <th data-column-id="dest_ip" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Destination')</th>
                <th data-column-id="payload_printable" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Payload')</th>
                <th data-column-id="alert" data-type="string" data-sortable="false" >Modèle:Lang. ('Alert')</th>
* Edit : /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml and /usr/local/etc/suricata/suricata.yaml
Code: [Select]
      filename: eve.json                                                       
                 
      types:                                                                   
        - alert:                                                               
            payload: yes                                                       
            payload-buffer-size: 100kb                                         
            payload-printable: yes                                             
            packet: yes
Nota :

Guillaume.

Edit : Sorry for the double reply.
Title: Re: packet captures in Suricata
Post by: nycaleksey on November 13, 2017, 06:48:34 pm
Thanks a lot, this is a good start, and is very helpful for me.

I will play with these settings and if I can make it right and configurable in OPNsense interface, I will submit a patch for the maintainers to review and consider.