[Oisf-users] pcap's on alerts
mail.list at taylorofthe.net
mail.list at taylorofthe.net
Tue Jan 20 00:00:56 UTC 2015
What is the best option to log only packets associated with alerts? In the suricata documentation, it reads: With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. Is that all packets on the monitored interface? How does one get just packets associated with specific rule. Does the post-detection rule variable option work like it does in Snort?
Thanks in advance
More information about the Oisf-users
mailing list