[Oisf-users] pcap's on alerts

Cooper F. Nelson cnelson at ucsd.edu
Tue Jan 20 17:51:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's a new feature, glad to know about it!

You can also log alerts in snorts unified2 alert format, which contains
packet captures  for each unique alert that can be extracted.  I have
some wrapper scripts to do this.

- -Coop

On 1/20/2015 8:18 AM, Jacob King wrote:
> Thanks, Jay.
> 
> Appreciate it.
> 
> Jake.
> 
> 
> <http://hootsuite.com/>	
> *Jake King*
> Security Engineer| Hootsuite <https://www.hootsuite.com/>
> t: +1.604.812.3306 | @J <http://twitter.com/JakeKing>akeKing
> 
> Find Hootsuite online:
> 	Hootsuite Blog RSS <http://blog.hootsuite.com/>	Facebook
> <https://facebook.com/hootsuite>	Twitter
> <https://twitter.com/hootsuite>	Youtube <https://youtube.com/hootsuite>
> Instagram <http://instagram.com/hootsuite>	Google+
> <https://plus.google.com/+HootSuite/posts>
> 
> We are hiring in a /big/ way! Apply now <http://hootsuite.com/careers>
> 
> This email is being sent on behalf of Hootsuite Media, Inc
> <http://hootsuite.com/>. If you are no longer interested in receiving
> emails from Hootsuite, please click here
> <https://socialbusiness.hootsuite.com/unsubscribe.html>.
> 
> Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.
> 
> 	
> 
> 
> 
> On Mon, Jan 19, 2015 at 5:24 PM, Jay M. <jskier at gmail.com
> <mailto:jskier at gmail.com>> wrote:
> 
>     Yes, I believe the setting you are looking at is all monitored packets
>     by suricata. Alert debugging is also verbose and useful, but not a
>     pcap.
> 
>     In the beta 2.1 series, you can turn on packet under alert logging
>     which will create a KV pair for one 'packet' per alert in the eve.log
>     (so, not all packets, only alerts). The value will be in base64
>     encoding. It will allow you to decode fairly easily with scapy and a
>     python script.
> 
>     I'm working on a python script pre rotate to pull out all alert
>     packets every time I rotate the eve.log (every hour to 6 hours
>     depending on time of day). Once I get it wrapped up (tuning json,
>     decoding was easy part) I'll post it.
> 
>     --
>     Jay
>     jskier at gmail.com <mailto:jskier at gmail.com>
> 
> 
>     On Mon, Jan 19, 2015 at 6:00 PM,  <mail.list at taylorofthe.net
>     <mailto:mail.list at taylorofthe.net>> wrote:
>     > What is the best option to log only packets associated with
>     alerts? In the suricata documentation, it reads: With the pcap-log
>     option you can save all packets, that are registered by Suricata, in
>     a log file named log.pcap. Is that all packets on the monitored
>     interface? How does one get just packets associated with specific
>     rule. Does the post-detection rule variable option work like it does
>     in Snort?
>     >
>     > Thanks in advance
>     > _______________________________________________
>     > Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     > Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     > List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     > Training now available: http://suricata-ids.org/training/
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Training now available: http://suricata-ids.org/training/
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUvpWOAAoJEKIFRYQsa8FWDsMH/2z2Loc0d8MATbr5JmyoV5kg
GybLAD7wcsvdOHcYeM0r/l7d9ePb/0YxWF4FCRL0dgbIfdBLAvtEbCmoDsmPBNIL
b+Z+djE+bdsxJ00KEQe8yFzpzdLT6rW60gIdoT3Qf/LXOBpVnOnlvnPa546V38o/
um7pquLog9HIzgfMMsfqwZmBmD7HH6nFHt6t9ruFJpSDepxL83OIaUjIqDVyFi3e
oM7z/OhNfzxgNNhplKfS9b7waidLFmEMFzFFgxcZSqncz6Fj1m/WWN2YDq526vBv
7ZTJXzzUOFwRZorHcPWy0wMJAxGYzGvvajXnTsBURFvcIlvZ42b8AuHJbWAVHFg=
=WzuD
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list