I’ve added a new tool to my idstools package to convert the packets (or the payloads) found in Suricata eve logs to a pcap file.
To just grab the script, download eve2pcap.py and make it executable, or to install the complete idstools package (will install as idstools-eve2pcap):
pip install –upgrade idstools
Usage is pretty simple:
./eve2pcap.py -o output.pcap /path/to/eve.json
Or to use the payload field instead of the packet field:
./eve2pcap.py -o output.pcap –payload /path/to/eve.json
For straight packet conversion no dependencies are required other than Python and libpcap. Scapy is used for conversion of the payload field, so make sure to install it before trying to convert the payload.
It is also important to note that eve logs do not contain all the information to recreate the packet headers, so when converting payloads to pcap the headers are “manufactured” and may not always produce the best packet for the payload, so YMMV.