Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata reassembled stream

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 862 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kagan
      last edited by

      Hello,
      I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
      Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Kagan
        last edited by bmeeks

        @Kagan said in Suricata reassembled stream:

        Hello,
        I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
        Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.

        You can't do anything from the PHP source code in pfSense to manipulate stream data. The GUI interface you see for Suricata in pfSense is nothing more than a wrapper that displays log data generated by the underlying suricata binary and generates the required suricata.yaml configuration file used by the binary.

        There are no exposed methods or classes in the GUI package PHP code. However, you can obtain packet dumps by configuring the EVE JSON logging options on the INTERFACE SETTINGS tab within the GUI. You can send the EVE JSON logs to another machine on the network for detailed analysis.

        If you want to get more sophisticated than just dumping packet payloads to an EVE JSON logger, then you will need to compile and install the suricata binary (available from upstream here) on a separate machine (not a pfSense machine).

        1 Reply Last reply Reply Quote 0
        • K
          Kagan
          last edited by

          Thank you for your answer,
          I want to dump stream payloads in Suricata C code. I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Kagan
            last edited by bmeeks

            @Kagan said in Suricata reassembled stream:

            Thank you for your answer,
            I want to dump stream payloads in Suricata C code. I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.

            Sounds like what you want to do will require you to code your own Suricata binary plugin (perhaps a detection or possibly logging plugin) and build a customized Suricata binary. All of that is way beyond what the pfSense package is designed for. If you want to pursue this course, you will fare better reading the Suricata developer docs here and by perhaps posting something on the Suricata Redmine site here.

            1 Reply Last reply Reply Quote 0
            • K
              Kagan
              last edited by

              Thank you for your help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.