[Oisf-users] pcap's on alerts

mail.list at taylorofthe.net mail.list at taylorofthe.net
Tue Jan 20 00:00:56 UTC 2015

What is the best option to log only packets associated with alerts? In the suricata documentation, it reads: With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. Is that all packets on the monitored interface? How does one get just packets associated with specific rule. Does the post-detection rule variable option work like it does in Snort?  

Thanks in advance 

More information about the Oisf-users mailing list