Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Wireshark plugin to display Suricata analysis info
Lua
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
doc
ChangeLog
INSTALL
LICENSE
README.rst
TODO
suriwire.lua

README.rst

Suriwire

Introduction

Suriwire is a plugin for wireshark that allow you to display suricata alert and protocol information as element of the protocol dissection.

wireshark screenshot with suriwire generated info

Suriwire has parsing for the following events:

  • Alerts
  • HTTP
  • fileinfo
  • TLS
  • SSH

For example, the preceding screenshot shows how it is possible to search for TLS session where the subject of the certificate matches a certain string.

Installation

Copy or link suriwire.lua to your wireshark plugin directory. For a user, this is ~/.wireshark/plugins/.

Usage

Run externally suricata on the pcap file you study to create a suitable alert file. You need to use the EVE output format. To specify a directory to output files to, you can use the -l flag in suricata

suricata -r sample.pcap -l log/

Then you will be able to use the log/eve.json file.

In wireshark, open the pcap file and go to Tools->Suricata->Activate. Then enter the name of the EVE file. This will parse again the file adding all Suricata generated information.

You can also indicate which EVE file to parse at start by running something like:

SURIWIRE_EVE_FILE=log2/eve.json wireshark sample.pcap

You will now find information about the alerts and other events:

  • In the detail of a packet under Suricata analysis element
  • In Analyse->Expert Info Composite

You can also filter on the suricata protocol. The protocol has fields like suricata.alert.sid and suricata.tls.subject which can be used in filter.

If you reuse the same eve.json file, you can set the default path in the protocol preferences inside wireshark.

More information on https://home.regit.org/software/suriwire.

Something went wrong with that request. Please try again.