<div dir="ltr"><div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 24, 2018 at 2:41 PM Davide Setti <<a href="mailto:d.setti@certego.net">d.setti@certego.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Maybe I should also tell that I can not enable Full Packet Capture.<div><br></div><div>Was just wondering if it is possible to log che content of internal buffers used by sucircata (which should be able to decode the gzipped content and analyze it).<br><br></div></div></blockquote><div><br></div><div>You mean  - like dump it on disk/log? (not just the one from the alerts ?)<br>I haven't tried this in a while but maybe it is what you need - <a href="https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L552">https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L552</a>  ?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thanks,</div><div>Davide<br><div class="gmail_quote"><div dir="ltr">Il giorno mer 24 ott 2018 alle ore 14:30 Kevin Geil <<a href="mailto:info@friendandfamilytech.com" target="_blank">info@friendandfamilytech.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">If you have full packet captures, you can filter out the traffic you need, then "follow tcp stream" in Wireshark. You can try this with a single packet, but it might not be enough data.<div dir="auto"><br></div><div dir="auto">Kevin</div></div></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-4483791801250147850gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div>Regards,</div>
<div>Peter Manev</div></div></div></div>