Suricata reassembled stream



  • Hello,
    I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
    Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.



  • @Kagan said in Suricata reassembled stream:

    Hello,
    I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
    Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.

    You can't do anything from the PHP source code in pfSense to manipulate stream data. The GUI interface you see for Suricata in pfSense is nothing more than a wrapper that displays log data generated by the underlying suricata binary and generates the required suricata.yaml configuration file used by the binary.

    There are no exposed methods or classes in the GUI package PHP code. However, you can obtain packet dumps by configuring the EVE JSON logging options on the INTERFACE SETTINGS tab within the GUI. You can send the EVE JSON logs to another machine on the network for detailed analysis.

    If you want to get more sophisticated than just dumping packet payloads to an EVE JSON logger, then you will need to compile and install the suricata binary (available from upstream here) on a separate machine (not a pfSense machine).



  • Thank you for your answer,
    I want to dump stream payloads in Suricata C code. I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.



  • @Kagan said in Suricata reassembled stream:

    Thank you for your answer,
    I want to dump stream payloads in Suricata C code. I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.

    Sounds like what you want to do will require you to code your own Suricata binary plugin (perhaps a detection or possibly logging plugin) and build a customized Suricata binary. All of that is way beyond what the pfSense package is designed for. If you want to pursue this course, you will fare better reading the Suricata developer docs here and by perhaps posting something on the Suricata Redmine site here.



  • Thank you for your help.


Log in to reply