[Oisf-users] pcap's on alerts
Cooper F. Nelson
cnelson at ucsd.edu
Tue Jan 20 17:51:10 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That's a new feature, glad to know about it!
You can also log alerts in snorts unified2 alert format, which contains
packet captures for each unique alert that can be extracted. I have
some wrapper scripts to do this.
- -Coop
On 1/20/2015 8:18 AM, Jacob King wrote:
> Thanks, Jay.
>
> Appreciate it.
>
> Jake.
>
>
> <http://hootsuite.com/>
> *Jake King*
> Security Engineer| Hootsuite <https://www.hootsuite.com/>
> t: +1.604.812.3306 | @J <http://twitter.com/JakeKing>akeKing
>
> Find Hootsuite online:
> Hootsuite Blog RSS <http://blog.hootsuite.com/> Facebook
> <https://facebook.com/hootsuite> Twitter
> <https://twitter.com/hootsuite> Youtube <https://youtube.com/hootsuite>
> Instagram <http://instagram.com/hootsuite> Google+
> <https://plus.google.com/+HootSuite/posts>
>
> We are hiring in a /big/ way! Apply now <http://hootsuite.com/careers>
>
> This email is being sent on behalf of Hootsuite Media, Inc
> <http://hootsuite.com/>. If you are no longer interested in receiving
> emails from Hootsuite, please click here
> <https://socialbusiness.hootsuite.com/unsubscribe.html>.
>
> Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.
>
>
>
>
>
> On Mon, Jan 19, 2015 at 5:24 PM, Jay M. <jskier at gmail.com
> <mailto:jskier at gmail.com>> wrote:
>
> Yes, I believe the setting you are looking at is all monitored packets
> by suricata. Alert debugging is also verbose and useful, but not a
> pcap.
>
> In the beta 2.1 series, you can turn on packet under alert logging
> which will create a KV pair for one 'packet' per alert in the eve.log
> (so, not all packets, only alerts). The value will be in base64
> encoding. It will allow you to decode fairly easily with scapy and a
> python script.
>
> I'm working on a python script pre rotate to pull out all alert
> packets every time I rotate the eve.log (every hour to 6 hours
> depending on time of day). Once I get it wrapped up (tuning json,
> decoding was easy part) I'll post it.
>
> --
> Jay
> jskier at gmail.com <mailto:jskier at gmail.com>
>
>
> On Mon, Jan 19, 2015 at 6:00 PM, <mail.list at taylorofthe.net
> <mailto:mail.list at taylorofthe.net>> wrote:
> > What is the best option to log only packets associated with
> alerts? In the suricata documentation, it reads: With the pcap-log
> option you can save all packets, that are registered by Suricata, in
> a log file named log.pcap. Is that all packets on the monitored
> interface? How does one get just packets associated with specific
> rule. Does the post-detection rule variable option work like it does
> in Snort?
> >
> > Thanks in advance
> > _______________________________________________
> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUvpWOAAoJEKIFRYQsa8FWDsMH/2z2Loc0d8MATbr5JmyoV5kg
GybLAD7wcsvdOHcYeM0r/l7d9ePb/0YxWF4FCRL0dgbIfdBLAvtEbCmoDsmPBNIL
b+Z+djE+bdsxJ00KEQe8yFzpzdLT6rW60gIdoT3Qf/LXOBpVnOnlvnPa546V38o/
um7pquLog9HIzgfMMsfqwZmBmD7HH6nFHt6t9ruFJpSDepxL83OIaUjIqDVyFi3e
oM7z/OhNfzxgNNhplKfS9b7waidLFmEMFzFFgxcZSqncz6Fj1m/WWN2YDq526vBv
7ZTJXzzUOFwRZorHcPWy0wMJAxGYzGvvajXnTsBURFvcIlvZ42b8AuHJbWAVHFg=
=WzuD
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list