[Oisf-users] pcap's on alerts

Jay M. jskier at gmail.com
Tue Jan 20 01:24:43 UTC 2015

Yes, I believe the setting you are looking at is all monitored packets
by suricata. Alert debugging is also verbose and useful, but not a

In the beta 2.1 series, you can turn on packet under alert logging
which will create a KV pair for one 'packet' per alert in the eve.log
(so, not all packets, only alerts). The value will be in base64
encoding. It will allow you to decode fairly easily with scapy and a
python script.

I'm working on a python script pre rotate to pull out all alert
packets every time I rotate the eve.log (every hour to 6 hours
depending on time of day). Once I get it wrapped up (tuning json,
decoding was easy part) I'll post it.

jskier at gmail.com

On Mon, Jan 19, 2015 at 6:00 PM,  <mail.list at taylorofthe.net> wrote:
> What is the best option to log only packets associated with alerts? In the suricata documentation, it reads: With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. Is that all packets on the monitored interface? How does one get just packets associated with specific rule. Does the post-detection rule variable option work like it does in Snort?
> Thanks in advance
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list