<div dir="ltr">fwiw our hack for this is:<div>run stenographer,</div><div>run a script that tails Suricata alerts, and request stream from stenographer.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 11, 2017 at 3:14 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Apr 11, 2017 at 11:59 PM, Tom DeCanio <<a href="mailto:decanio.tom@gmail.com">decanio.tom@gmail.com</a>> wrote:<br>
> I picked up an old suricata PR for something called timemachine and fixed up<br>
> the issues that I discovered and got it working. it does what I believe<br>
> folks are looking for. It obviously has limited based on available memory<br>
> on the machine on which this is running.<br>
><br>
> I could resubmit the PR containing my own modifications if people have an<br>
> interest in this.<br>
><br>
<br>
</span>Yes please.<br>
<div class="HOEnZb"><div class="h5"><br>
> Tom<br>
><br>
> On Tue, Apr 11, 2017 at 1:33 PM Jason Williams<br>
> <<a href="mailto:jwilliams@emergingthreats.net">jwilliams@emergingthreats.net</a><wbr>> wrote:<br>
>><br>
>> I believe constant full packet capture w/ suri or something such as moloch<br>
>> may be the answer for this.<br>
>><br>
>> I've deployed suri and moloch in tandem for this purpose, until<br>
>> precognition makes its way to the suricata stack. :)<br>
>><br>
>> Jason<br>
>><br>
>> On Wed, Mar 1, 2017 at 4:41 AM, oleg gv <<a href="mailto:oagvozd@gmail.com">oagvozd@gmail.com</a>> wrote:<br>
>>><br>
>>> Hello !<br>
>>><br>
>>> How I can log packets BEFORE the packet that trgigered a rule ? "Tag"<br>
>>> rule option can log packets AFTER activation-packet, but I need to log<br>
>>> BEFORE it.<br>
>>><br>
>>> May be there is a patch for it ?<br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br></div>