Suricata: Enabling payload and packet alert logging



  • Is it possible to enable payload and/or packet logging?  I know that the pcap logs are sometimes helpful with Snort in figuring out if an alert is a false alert or not but it seems like that option is not in the Suricata package yet using the payload or packet logging option to -alert.

    Maybe it might be possible to enable that setting with the advanced passthrough feature?  Ideally an option in the gui to enable it along with the other EVE logging options (ssh, etc) would be preferred.

    I am assuming that the already existing 'Enable Packet Log' feature in the GUI logs all traffic to pcap files and not just alerts which is not something I want to enable.



  • I added config to the Advanced Configuration Pass-through text box in the interface edit settings and it does not appear to be added to the interfaces suricata.yaml file.

    I was hoping to add the payload logging to eve log.  Has anyone got the passthrough to work?

    outputs:
      - eve-log:
          types: 
            - alert:
                payload: yes           # enable dumping payload in Base64
                payload-printable: yes # enable dumping payload in printable (lossy) format
                packet: yes
                http: yes
    

    ![Screenshot from 2016-05-27 14-51-14.png](/public/imported_attachments/1/Screenshot from 2016-05-27 14-51-14.png)
    ![Screenshot from 2016-05-27 14-51-14.png_thumb](/public/imported_attachments/1/Screenshot from 2016-05-27 14-51-14.png_thumb)
    ![Screenshot from 2016-05-27 16-38-22.png_thumb](/public/imported_attachments/1/Screenshot from 2016-05-27 16-38-22.png_thumb)
    ![Screenshot from 2016-05-27 16-38-22.png](/public/imported_attachments/1/Screenshot from 2016-05-27 16-38-22.png)



  • @adam65535:

    I added config to the Advanced Configuration Pass-through text box in the interface edit settings and it does not appear to be added to the interfaces suricata.yaml file.

    I was hoping to add the payload logging to eve log.  Has anyone got the passthrough to work?

    outputs:
      - eve-log:
          types: 
            - alert:
                payload: yes           # enable dumping payload in Base64
                payload-printable: yes # enable dumping payload in printable (lossy) format
                packet: yes
                http: yes
    

    The best way to accomplish this is to add the information directly to the suricata_yaml_template.inc file in /usr/local/suricata/.  Just be sure to enter it within the correct section and DO NOT overwrite any of the string variables in curly braces (like "{$something}").

    Configuration info entered into the template file will be added to every YAML conf file for every interface.  Once you add the new information to the template, you will need to manually stop then start Suricata on the INTERFACES tab.

    Bill



  • Thanks for taking the time to give me that info bmeeks.  I ended up editing the /usr/local/pkg/suricata/suricata_generate_yaml.php before your reply though.

    I would think this would be a highly requested feature as it does help determine if the problem should be looked at closer or not.  Without the payload dump you really don't have a lot to go on to determine if it is just a false positive or actual malicious intent.  With this set I only get the packet dumps for the alerts.  I turn the rest of the eve logging off so that only the packet dump alerts are in the eve which makes it very easy to find and more likely for the log file to not have overwritten the data with only alerts in the eve log.  I use the other logging features for regular suricata http, etc logging.

    Notice that '- alert' gets changed to '- alert:' for anyone else trying to do this.  '- alert' is correct if no sub options like packet, payload, etc are specified.  If you specify sub options though like I have done it needs to be '- alert:' which I assume tells the Suricata config parsing code that there are options underneath it.

    I changed…

    if ($suricatacfg['eve_log_alerts'] == 'on')
    	$eve_out_types .= "\n        - alert";
    

    to…

    if ($suricatacfg['eve_log_alerts'] == 'on') {
    	$eve_out_types .= "\n        - alert:";
            $eve_out_types .= "\n                  payload: yes               # enable dumping payload in Base64";
            $eve_out_types .= "\n                  payload-printable: yes # enable dumping payload in printable (lossy) format";
            $eve_out_types .= "\n                  packet: yes";
            $eve_out_types .= "\n                  http: yes";
    }
    

    I changed about 7 systems so far and it definitely gives the person looking at the alerts some better info to go on…. especially for http like or dns type alerts.

    EDIT:  I do have to disable Chrome's 'Check the spelling of text fields' before loading the eve log now though or the page will take forever for Chrome to spell check it.  I waited 5 minutes for a log file with just 30 log entries with payload, etc (200 KBytes) and finally killed the tab, disabled Chrome's 'Check the spelling of text fields' feature, reloaded the page, and the page loaded instantly.  It would be great if there were some kind of html hint that could be put in the Suricata Logs View page to tell Chrome not to spell check the text box where the logs are shown so that Chrome doesn't wast time trying to spell check the log file data.



  • @bmeeks:

    @adam65535:

    I added config to the Advanced Configuration Pass-through text box in the interface edit settings and it does not appear to be added to the interfaces suricata.yaml file.

    I was hoping to add the payload logging to eve log.  Has anyone got the passthrough to work?

    outputs:
      - eve-log:
          types: 
            - alert:
                payload: yes           # enable dumping payload in Base64
                payload-printable: yes # enable dumping payload in printable (lossy) format
                packet: yes
                http: yes
    

    The best way to accomplish this is to add the information directly to the suricata_yaml_template.inc file in /usr/local/suricata/.  Just be sure to enter it within the correct section and DO NOT overwrite any of the string variables in curly braces (like "{$something}").

    Configuration info entered into the template file will be added to every YAML conf file for every interface.  Once you add the new information to the template, you will need to manually stop then start Suricata on the INTERFACES tab.

    Bill

    I would like to this as well, but I am not as comfortable modifying the php as adam65535 did. I'd like to use the solution above, but I am a bit unclear on how to do so.

    In /usr/local/pkg/suricata/suricata_yaml_template.inc the relevant section for eve logging is:

    - eve-log:
          enabled: {$enable_eve_log}
          type: {$eve_output_type}
          filename: eve.json
          identity: "suricata"
          facility: {$eve_systemlog_facility}
          level: {$eve_systemlog_priority}
          types: {$eve_out_types}
    
    

    so I am not sure how to add the relevant alert options under types as I can't control that it gets entered under the alert type properly with the {$eve_out_types} variable . Can anyone provide assistance on how to do this?


Log in to reply