Introduction
Suriwire is a plugin for
wireshark which display
suricata alert on a pcap file inside the wireshark output.
Suriwire has the following features:
- Display of alerts in the expert info window
- Display of alerts on a packet in the packet details
- Filter wireshark output by using signature fields such as a given sid or the content of a signature message
Download
Suriwire is hosted on github:
suriwire on github.
Usage
Installation
To use suriwire, copy the
suriwire.lua file in your
~/.wireshark/plugins/ directory. Launch wireshark and set up the
Suricata protocole (in Edit->Preferences->Protocoles->SURICATA). The only thing to do is to give the complete path to the alert file.
For now, this alert file can be obtained by activating the
pcap-info output when doing the parsing of the pcap file you want to study with suricata.
Note: The
pcap-info module is currently only available in the git version of suricata.
Using suriwire
After the opening of the pcap file in wireshark , go to Tools->Suricata->Activate. This will popup a dialog. If the alert file is correct, simply click OK. If not, enter the patch of the alert file.
You will now be able to see suricata alerts in the detail of the packets or to search for a given alert. Search can be done on
suricata to display all the packets that have triggered an alert. If you want to search something more specific, you can use
suricata.msg and
suricata.sid.
Suriwire has the following features:
[...] публичный рeлиз плaгинa для aнaлизaтoрa трaфикa Wireshark – Suriwire 0.1. Oснoвнaя зaдaчa плaгинa oтoбрaжeниe suricata-оповещений [...]
Suriwire has been featured at LinuxLinks.com