Skip to content

regit/suriwire

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Suriwire

Introduction

Suriwire is a plugin for wireshark that allow you to display suricata alert and protocol information as element of the protocol dissection.

wireshark screenshot with suriwire generated info

Suriwire has parsing for the following events:

  • Alerts
  • HTTP
  • fileinfo
  • TLS
  • SSH
  • SMB

For example, the preceding screenshot shows how it is possible to search for TLS session where the subject of the certificate matches a certain string.

Installation

Copy or link suriwire.lua to your wireshark plugin directory. For a user, this is ~/.local/lib/wireshark/plugins (or ~/.wireshark/plugins/ on older systems).

Suriwire depends on cjson JSON library with a fallback on dkjson library.

Usage

Run externally suricata on the pcap file you study to create a suitable alert file. You need to use the EVE output format. To specify a directory to output files to, you can use the -l flag in suricata

suricata -r sample.pcap -l log/

Then you will be able to use the log/eve.json file.

In wireshark, open the pcap file and go to Tools->Suricata->Activate. Then enter the name of the EVE file. This will parse again the file adding all Suricata generated information.

You can also indicate which EVE file to parse at start by running something like:

SURIWIRE_EVE_FILE=log2/eve.json wireshark sample.pcap

You will now find information about the alerts and other events:

  • In the detail of a packet under Suricata analysis element
  • In Analyse->Expert Info Composite

You can also filter on the suricata protocol. The protocol has fields like suricata.alert.sid and suricata.tls.subject which can be used in filter.

If you reuse the same eve.json file, you can set the default path in the protocol preferences inside wireshark.

More information on https://home.regit.org/software/suriwire.