[Oisf-users] Capturing encrypted traffic
Jake Gionet
gionet.jake at gmail.com
Wed Feb 20 12:32:52 UTC 2013
I believe there are two options for doing this. First is setting your
stream variables is a way that causes Suricata to continue to inspect
encrypted traffic (I forget if/how this is possible at the moment). The
second is setting "use-stream-depth: no" in the pcap-log section. If you
want an example take a look at
http://rules.emergingthreats.net/open/suricata-1.3/suricata-1.3-open.yaml
For what its worth, I found the packet capture output from Suricata to be
very inefficient. Running tcpdump at the same time produced much better
results for me. There are some programs that capture more efficiently than
tcpdump which you may want to explore as well.
Jake Gionet
On Tue, Feb 19, 2013 at 5:55 PM, Mike Ware <mware at zettaset.com> wrote:
> Is there a way to set the pcap logging to capture encrypted traffic?
> Thanks
> Mike
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130220/1d368042/attachment-0002.html>
More information about the Oisf-users
mailing list