Suriwire is a plugin for wireshark that allow you to display suricata alert and protocol information as element of the protocol dissection.
Suriwire has parsing for the following events:
- Alerts
- HTTP
- fileinfo
- TLS
- SSH
- SMB
For example, the preceding screenshot shows how it is possible to search for TLS session where the subject of the certificate matches a certain string.
Copy or link suriwire.lua to your wireshark plugin directory. For a user,
this is ~/.local/lib/wireshark/plugins (or ~/.wireshark/plugins/ on
older systems).
Suriwire depends on cjson JSON library with a fallback on dkjson library.
Run externally suricata on the pcap file you study to create a
suitable alert file. You need to use the EVE output format.
To specify a directory to output files to, you can use the -l
flag in suricata
suricata -r sample.pcap -l log/
Then you will be able to use the log/eve.json file.
In wireshark, open the pcap file and go to Tools->Suricata->Activate.
Then enter the name of the EVE file. This will parse again the file adding
all Suricata generated information.
You can also indicate which EVE file to parse at start by running something like:
SURIWIRE_EVE_FILE=log2/eve.json wireshark sample.pcap
You will now find information about the alerts and other events:
- In the detail of a packet under
Suricata analysiselement - In
Analyse->Expert Info Composite
You can also filter on the suricata protocol. The protocol has
fields like suricata.alert.sid and suricata.tls.subject which can be used
in filter.
If you reuse the same eve.json file, you can set the default path in the
protocol preferences inside wireshark.
More information on https://home.regit.org/software/suriwire.