packet captures in Suricata

[nycaleksey]

Hi,

Does anyone know if it is possible to have Suricata configured to save the packets that generated every alert?

Quite often the alert itself does not have enough information to investigate the events, and being able to analyze the captures would be really helpful.

Thank you,

Aleksey

[guillaume.u]

Hello,

+1, I have the same question :)

Thanks,

Guillaume.

[mimugmail]

It's not possible since it would has to write ALL packets to disc to save the capture. You can only search for the Eule to see why it was hitten

[guillaume.u]

Hello Mimugmail,

It's not for ALL packets but only for packets which triggers alerts.

Snort do/did it with BASE front end and it was very usefull.

[mimugmail]

So then it would be better to ask in the Suricata mailing list for a feature like that.

[guillaume.u]

In fact, it exists in suricata by adding, in suricata.yaml :

Code Select Expand

  - eve-log:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            packet: yes

It dumps packet in eve.json but I think it's not possible to view it via the UI, only via SSH.

Thanks again.

Guillaume.

Edit : I opened a feature request https://github.com/opnsense/core/issues/1911

[guillaume.u]

As an ugly hack, you can :

* Enable the payload in eve-log (see above).

* Edit and add : /usr/local/opnsense/mvc/app/controllers/OPNsense/IDS/forms/dialogAlert.xml

Code Select Expand

    <field>                                                                     
        <id>payload_printable</id>                                             
        <label>Payload</label>                                                 
        <type>info</type>                                                       
    </field>

* Edit : /usr/local/opnsense/mvc/app/views/OPNsense/IDS/index.volt (to add the payload entry)

Code Select Expand

                <th data-column-id="dest_ip" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Destination')</th>
                <th data-column-id="payload_printable" data-type="string" data-sortable="false" data-width="10em">Modèle:Lang. ('Payload')</th>
                <th data-column-id="alert" data-type="string" data-sortable="false" >Modèle:Lang. ('Alert')</th>

* Edit : /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml and /usr/local/etc/suricata/suricata.yaml

Code Select Expand

      filename: eve.json                                                       
                 
      types:                                                                   
        - alert:                                                               
            payload: yes                                                       
            payload-buffer-size: 100kb                                         
            payload-printable: yes                                             
            packet: yes

Nota :

• As I didn't really take a look to OPNsense code, I'm not sure that's the good way to make that but It works in my case.
• As I said, this is an ugly hack, there is no integration with the UI to enable/disable this functionality. Moreover, an OPNsense update can remove all of these modifications.

Guillaume.

Edit : Sorry for the double reply.

[nycaleksey]

Thanks a lot, this is a good start, and is very helpful for me.

I will play with these settings and if I can make it right and configurable in OPNsense interface, I will submit a patch for the maintainers to review and consider.