[Oisf-users] pcap's on alerts

Jacob King jake at hootsuite.com
Tue Jan 20 01:00:24 UTC 2015 

This is something I'd be very interested in as well.

I've been maintaining a buffer pcap file on my servers to ensure that I
have enough information to find out what may be triggering an alert. It
would be much more effective to only log the traffic coming through when an
alert is triggered (or a predetermined list of alerts) then store the logs
based on importance, etc.

Any info you have would be awesome!

Jake.


  <http://hootsuite.com/>
*Jake King*
Security Engineer| Hootsuite <https://www.hootsuite.com/>
t: +1.604.812.3306 | @J <http://twitter.com/JakeKing>akeKing
Find Hootsuite online:
[image: Hootsuite Blog RSS] <http://blog.hootsuite.com/>[image: Facebook]
<https://facebook.com/hootsuite>[image: Twitter]
<https://twitter.com/hootsuite>[image: Youtube]
<https://youtube.com/hootsuite>[image: Instagram]
<http://instagram.com/hootsuite>[image: Google+]
<https://plus.google.com/+HootSuite/posts>
We are hiring in a *big* way! Apply now <http://hootsuite.com/careers>

This email is being sent on behalf of Hootsuite Media, Inc
<http://hootsuite.com/>. If you are no longer interested in receiving
emails from Hootsuite, please click here
<https://socialbusiness.hootsuite.com/unsubscribe.html>.

Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.



On Mon, Jan 19, 2015 at 4:00 PM, <mail.list at taylorofthe.net> wrote:

> What is the best option to log only packets associated with alerts? In the
> suricata documentation, it reads: With the pcap-log option you can save all
> packets, that are registered by Suricata, in a log file named log.pcap. Is
> that all packets on the monitored interface? How does one get just packets
> associated with specific rule. Does the post-detection rule variable option
> work like it does in Snort?
>
> Thanks in advance
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150119/1e395477/attachment-0002.html>

More information about the Oisf-users mailing list