[Oisf-users] pcap's on alerts

Jacob King jake at hootsuite.com
Tue Jan 20 16:18:46 UTC 2015


Thanks, Jay.

Appreciate it.

Jake.


  <http://hootsuite.com/>
*Jake King*
Security Engineer| Hootsuite <https://www.hootsuite.com/>
t: +1.604.812.3306 | @J <http://twitter.com/JakeKing>akeKing
Find Hootsuite online:
[image: Hootsuite Blog RSS] <http://blog.hootsuite.com/>[image: Facebook]
<https://facebook.com/hootsuite>[image: Twitter]
<https://twitter.com/hootsuite>[image: Youtube]
<https://youtube.com/hootsuite>[image: Instagram]
<http://instagram.com/hootsuite>[image: Google+]
<https://plus.google.com/+HootSuite/posts>
We are hiring in a *big* way! Apply now <http://hootsuite.com/careers>

This email is being sent on behalf of Hootsuite Media, Inc
<http://hootsuite.com/>. If you are no longer interested in receiving
emails from Hootsuite, please click here
<https://socialbusiness.hootsuite.com/unsubscribe.html>.

Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.



On Mon, Jan 19, 2015 at 5:24 PM, Jay M. <jskier at gmail.com> wrote:

> Yes, I believe the setting you are looking at is all monitored packets
> by suricata. Alert debugging is also verbose and useful, but not a
> pcap.
>
> In the beta 2.1 series, you can turn on packet under alert logging
> which will create a KV pair for one 'packet' per alert in the eve.log
> (so, not all packets, only alerts). The value will be in base64
> encoding. It will allow you to decode fairly easily with scapy and a
> python script.
>
> I'm working on a python script pre rotate to pull out all alert
> packets every time I rotate the eve.log (every hour to 6 hours
> depending on time of day). Once I get it wrapped up (tuning json,
> decoding was easy part) I'll post it.
>
> --
> Jay
> jskier at gmail.com
>
>
> On Mon, Jan 19, 2015 at 6:00 PM,  <mail.list at taylorofthe.net> wrote:
> > What is the best option to log only packets associated with alerts? In
> the suricata documentation, it reads: With the pcap-log option you can save
> all packets, that are registered by Suricata, in a log file named log.pcap.
> Is that all packets on the monitored interface? How does one get just
> packets associated with specific rule. Does the post-detection rule
> variable option work like it does in Snort?
> >
> > Thanks in advance
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150120/1b14d149/attachment-0002.html>


More information about the Oisf-users mailing list