OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of guillaume.u »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - guillaume.u

Pages: [1]
1
General Discussion / Re: packet captures in Suricata
« on: November 03, 2017, 07:11:01 pm »
As an ugly hack, you can :

* Enable the payload in eve-log (see above).

* Edit and add : /usr/local/opnsense/mvc/app/controllers/OPNsense/IDS/forms/dialogAlert.xml
Code: [Select]
    <field>                                                                     
        <id>payload_printable</id>                                             
        <label>Payload</label>                                                 
        <type>info</type>                                                       
    </field>
* Edit : /usr/local/opnsense/mvc/app/views/OPNsense/IDS/index.volt (to add the payload entry)
Code: [Select]
                <th data-column-id="dest_ip" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Destination')</th>
                <th data-column-id="payload_printable" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Payload')</th>
                <th data-column-id="alert" data-type="string" data-sortable="false" >Modèle:Lang. ('Alert')</th>
* Edit : /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml and /usr/local/etc/suricata/suricata.yaml
Code: [Select]
      filename: eve.json                                                       
                 
      types:                                                                   
        - alert:                                                               
            payload: yes                                                       
            payload-buffer-size: 100kb                                         
            payload-printable: yes                                             
            packet: yes
Nota :
  • As I didn't really take a look to OPNsense code, I'm not sure that's the good way to make that but It works in my case.
  • As I said, this is an ugly hack, there is no integration with the UI to enable/disable this functionality. Moreover, an OPNsense update can remove all of these modifications.

Guillaume.

Edit : Sorry for the double reply.

2
General Discussion / Re: packet captures in Suricata
« on: November 03, 2017, 09:30:13 am »
In fact, it exists in suricata by adding, in suricata.yaml :
Code: [Select]
  - eve-log:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            packet: yes
It dumps packet in eve.json but I think it's not possible to view it via the UI, only via SSH.

Thanks again.

Guillaume.

Edit : I opened a feature request https://github.com/opnsense/core/issues/1911

3
General Discussion / Re: packet captures in Suricata
« on: November 02, 2017, 07:34:16 pm »
Hello Mimugmail,

It's not for ALL packets but only for packets which triggers alerts.

Snort do/did it with BASE front end and it was very usefull.

4
General Discussion / Re: packet captures in Suricata
« on: November 02, 2017, 04:14:32 pm »
Hello,

+1, I have the same question :)

Thanks,

Guillaume.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2