Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Wireshark plugin to display Suricata analysis info
Lua
branch: master

fix bug on double "Activate"

Clicking on "Suricata->Activate" twice was resulting in wireshark to
leave because the protocol dissector was redefined. Moving code
relative to dissector out af the activate function is fixing the
issue.
latest commit 2125e9f21d
@regit authored

README.rst

Suriwire

Introduction

Suriwire is a plugin for wireshark that allow you to display suricata alert and protocol information as element of the protocol dissection.

wireshark screenshot with suriwire generated info

Suriwire has parsing for the following events:

  • Alerts
  • HTTP
  • fileinfo
  • TLS
  • SSH

For example, the preceding screenshot shows how it is possible to search for TLS session where the subject of the certificate matches a certain string.

Installation

Copy or link suriwire.lua to your wireshark plugin directory. For a user, this is ~/.wireshark/plugins/.

Usage

Run externally suricata on the pcap file you study to create a suitable alert file. You need to use the EVE output format. To specify a directory to output files to, you can use the -l flag in suricata

suricata -r sample.pcap -l log/

Then you will be able to use the log/eve.json file.

In wireshark, open the pcap file and go to Tools->Suricata->Activate. Then enter the name of the EVE file. This will parse again the file adding all Suricata generated information.

You will now find information about the alerts and other events:

  • In the detail of a packet under Suricata analysis element
  • In Analyse->Expert Info Composite

You can also filter on the suricata protocol. The protocol has fields like suricata.alert.sid and suricata.tls.subject which can be used in filter.

If you reuse the same eve.json file, you can set the default path in the protocol preferences inside wireshark.

More information on https://home.regit.org/software/suriwire.

Something went wrong with that request. Please try again.