Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it possible?

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    483
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Curious but what would it take to get payload detail into the output of an alert

      Reviewing another open-source firewall i did notice that payload viewing is possible within the alert as seen below Curious as to how much work would be involved. If anything i would like to be involved in the project if its already in the works for future releases.

      59d6fe3b-c5c7-4669-8645-8bde63962d25-image.png

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        There is an option to enable packet payload logging in the EVE LOG parameters on the INTERFACE SETTINGS tab in Suricata. That will write the payload as Base64-encoded text to the EVE JSON log.

        But the ALERTS tab in Suricata currently does not parse the EVE JSON log. It parses and displays alerts from a separate fast text log. So in order to display payload data all of the ALERTS tab code would have to be rewritten to reference and decode the EVE JSON log files instead of the fast text log. One problem with those JSON files is they get very large very fast and are thus frequently rotated. That means displaying a longer history of alerts would require unpacking and searching through previously rotated JSON logs.

        None of the above is an impossible task, but could be somewhat resource intensive on more marginal hardware. The general opinion for IDS/IPS logging on pfSense is that you export the EVE JSON logs to a separate server for analysis. Something like an ELK stack or equivalent. I believe some users here previously have done something similar by installing the filebeat package from FreeBSD Ports and using it to export to another log analysis server.

        There are also several other options as discussed in this thread from 2020 on the Redis forum: https://discuss.elastic.co/t/suricata-redis-elk-stack-mapping-help-please/250860. And the Suricata package on pfSense now has a Redis output option (on the INTERFACE SETTINGS tab for each interface).

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks I can definitely attest to the fact that those JSON logs rack up very quickly. Bzip2 was the top running process on my box for some time.
          So instead of logging locally, it might just be better to SPAN the port and send to my security onion or graylog - basically something that can make sense of the data.

          Thanks for your input on this. I was really curious if the function could be written but not right now.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.