Suriwire is a plugin for wireshark that allow you to display suricata alert and protocol information as element of the protocol dissection.
Suriwire has parsing for the following events:
For example, the preceding screenshot shows how it is possible to search for TLS session where the subject of the certificate matches a certain string.
Copy or link suriwire.lua to your wireshark plugin directory. For a user,
Run externally suricata on the pcap file you study to create a
suitable alert file. You need to use the
EVE output format.
To specify a directory to output files to, you can use the
flag in suricata
suricata -r sample.pcap -l log/
Then you will be able to use the
In wireshark, open the pcap file and go to
Then enter the name of the EVE file. This will parse again the file adding
all Suricata generated information.
You can also indicate which EVE file to parse at start by running something like:
SURIWIRE_EVE_FILE=log2/eve.json wireshark sample.pcap
You will now find information about the alerts and other events:
- In the detail of a packet under
Analyse->Expert Info Composite
You can also filter on the
suricata protocol. The protocol has
suricata.tls.subject which can be used
If you reuse the same
eve.json file, you can set the default path in the
protocol preferences inside wireshark.
More information on https://home.regit.org/software/suriwire.