[Oisf-users] Options for Alerts
Victor Julien
lists at inliniac.net
Thu Jun 5 14:01:06 UTC 2014
On 06/05/2014 03:52 PM, Gofran, Paul wrote:
> Is there a way to write a PCAP to disk when an alert is logged (For the
> packet that triggered the alert or even for the whole flow)? This would
> be beneficial to provide more context for the alert if full packet
> capture is not an option.
>
>
>
> Is anyone trying to do something like this?
Unified2 output with barnyard2 can do this, in a best effort way. When
Suricata writes an alerts found in a TCP stream, it also writes the
segments still in memory for that stream to the unified2 file. Barnyard2
can then log them to pcap.
The best effort nature is due to Suricata not keeping those segments in
memory forever. In general an alert found in a HTTP URI should be fine,
but if you alert on something 2mb into the HTTP body, it's unlikely that
the segments for the HTTP headers are still available.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list