[Discussion] Suricata output file

Qinwen Hu qhu009 at aucklanduni.ac.nz
Sun Jan 25 01:25:47 UTC 2015


Hi,

I am a new suricata user, I added a rule in the dns-events.rules for
detecting the IPv6 reverse lookup request. when I run the suricata to read
my trace file,

sudo suricata -c suricata.yaml -r test -s
/etc/suricata/rules/dns-events.rules -l /var/log/suricata/

I got all the packets from the original trace, but I only need the packets
that match my defined rule. I have done the similar setting in Snort, if I
run the Snort command,

sudo snort -r /etc/suricata/test -c /rules/dns.rules -l /var/log/snort/

it only output the packet that match my defined rule.

I just wonder, is there anything special settings I have to configure for
Suricate only output the pcap-log that contains all reverse lookup packets?


Many thanks for your attention to this matter. Have a nice day.


Kind regards,


Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20150125/041dbae2/attachment.html>


More information about the Discussion mailing list