IDSUtil and Wireshark Alert plugin

I recently came across a really neat Wireshark plugin for displaying IDS alerts inside of Wireshark. I find this a really useful way of doing historical packet capture analysis as I have the complete detail of the alert right there inside of Wireshark. I installed the IDSUtil on a VM running the Centrych Linux distro which I have found to be one of the most pleasant to install and use. Centrych, the IDSUtil and the Wireshark Alert plugin were all created by Jack Radigan and I highly recommend them to anyone who needs to do historical packet analysis.
There is a great demonstration of the Wireshark plugin and the IDSUtil here.
Once everything is installed and configured all that is required is to update the rules and then run the ids-pcap command with the packet capture:
ids-rules ./snort/default --list
ids-pcap ./snort/default vrouter2.pcap
Once the pcap has been read by Snort or Suricata the alerts are available in Wireshark when the same pcap is opened.


Where there are more than one alert for a packet each alert is shown. Setting a display filter of just 'alert' displays all those packets that have one or more alerts associated with them. I have set my display preferences to only use a single word for columns in Wireshark to make it easier to export packets as CSV.


It's easy to export the displayed packets by selecting 'Export Packet Dissections' from the file menu in Wireshark.


Leaving 'Displayed' selected provide a filename and click OK to save the file.


As in my previous post I can use Log Parser Lizard to process the output to make a Treemap of the IDS alerts.


The query allows me to convert the priority to highest value where there are multiple alerts for a single packet and it also inverts the priority so that a bigger number is a higher priority so that it displays larger blocks for higher priorities, otherwise '1' would be the highest priority but the smallest block size.

Export the file from Log Parser Lizard as TSV and use Notepad++ to edit the headers and add the data types for Treemap.


Then save as .tm3 extension and load the file into Treemap.


Comments

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Netflow analysis with SiLK - Part 1 Installation

CI/CD Pipeline Security & Shifting Left