Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Suricata - Add payload support #1911

Closed
guillaume-u opened this issue Nov 3, 2017 · 8 comments
Closed

[Feature] Suricata - Add payload support #1911

guillaume-u opened this issue Nov 3, 2017 · 8 comments
Assignees
@AdSchellevis
Labels
feature Adding new functionality
Milestone
18.1

Comments

@guillaume-u
Copy link

Hello,

I think it's not already asked (I did not find this feature request).

Is it possible to add the payload support in "eve-log" and display the result in the WebUI ?

 - eve-log:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            packet: yes

It will be very useful to get this information to enable/disable/investigate Suricata rules.

Thanks,

Guillaume.
@AdSchellevis
Copy link
Member

Hi Guillaume,

It's not already on the list, but indeed quite useful.
To prevent peoples log files from flooding, we should make it an optional feature (if we can find time to implement it).

Best regards,

Ad

@guillaume-u
Copy link
Author

guillaume-u commented Nov 3, 2017
edited
Loading

Thanks a lot @AdSchellevis, sure it can be an optional feature.

As an ugly hack to enable this functionality manually, you can follow what I wrote in the forum here : https://forum.opnsense.org/index.php?topic=6284.msg26746#msg26746

Quote :

  • Enable the payload in eve-log (see above).

  • Edit and add : /usr/local/opnsense/mvc/app/controllers/OPNsense/IDS/forms/dialogAlert.xml
    Code: [Select]

    payload_printable
    Payload
    info

  • Edit : /usr/local/opnsense/mvc/app/views/OPNsense/IDS/index.volt (to add the payload entry)
    Code: [Select]
    Modèle:Lang. ('Destination')
    Modèle:Lang. ('Payload')
    Modèle:Lang. ('Alert')

  • Edit : /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml and /usr/local/etc/suricata/suricata.yaml
    Code: [Select]
    filename: eve.json

    types:                                                                    
  - alert:                                                                
      payload: yes                                                        
      payload-buffer-size: 100kb                                          
      payload-printable: yes                                              
      packet: yes

Nota :
As I didn't really take a look to OPNsense code, I'm not sure that's the good way to make that but It works in my case.
As I said, this is an ugly hack, there is no integration with the UI to enable/disable this functionality. Moreover, an OPNsense update can remove all of these modifications.

@AdSchellevis AdSchellevis self-assigned this Nov 16, 2017
@AdSchellevis AdSchellevis added the feature Adding new functionality label Nov 16, 2017
@AdSchellevis
Copy link
Member

Suricon 2017 seems like a great moment to add this feature...
image

For now I've only added the printable content, I'm also looking into supporting custom overwrites of the suricata.yaml file for custom (advanced) features.

AdSchellevis added a commit that referenced this issue Nov 16, 2017
@AdSchellevis
IPS, add (advanced) payload log option, restructure alert info dialog…
14d0ce9 
…. support enable/disable rule from log view. for #1911
@AdSchellevis
Copy link
Member

To test on a recent version of OPNsense, use : opnsense-patch 14d0ce9

@AdSchellevis AdSchellevis mentioned this issue Nov 17, 2017
Closed
@AdSchellevis AdSchellevis added this to the 18.1 milestone Nov 17, 2017
fichtner pushed a commit that referenced this issue Nov 20, 2017
@AdSchellevis @fichtner
IPS, add (advanced) payload log option, restructure alert info dialog
0ed78b1 
PR: #1911
PR: #1935

(cherry picked from commit 14d0ce9)
(cherry picked from commit 18515f1)
AdSchellevis added a commit that referenced this issue Nov 20, 2017
@AdSchellevis
IDS, add tls and http logging in eve and alert log viewer.
38aafc8 
- add options to suricata yaml
- add tls and http options in alert view
- bug: fix issue with grid when interface is missing (crash on replace())
- style: change dialog markup, a bit wider and less padding.

a bit related to #1911
@AdSchellevis
Copy link
Member

Some more work done on the alert viewer in 38aafc8 below examples of alerts with and without payload enabled.
image
image

fichtner pushed a commit that referenced this issue Nov 28, 2017
@AdSchellevis @fichtner
IDS, add tls and http logging in eve and alert log viewer.
bd84a71 
- add options to suricata yaml
- add tls and http options in alert view
- bug: fix issue with grid when interface is missing (crash on replace())
- style: change dialog markup, a bit wider and less padding.

a bit related to #1911

(cherry picked from commit 38aafc8)
@sempervictus
Copy link

We pull our OpnSense syslog into ELK, so the more context we could get here, the merrier (not too worried about flooding elastic clusters with FW logs). Thank you much

@AdSchellevis
Copy link
Member

@sempervictus thank you for the encouragement!

@fichtner
Copy link
Member

All done, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality
Milestone
18.1
Development

No branches or pull requests
4 participants
@guillaume-u @sempervictus @fichtner @AdSchellevis