[Oisf-users] Suricata response events

Jordon Carpenter jordon.carpenter at rooksecurity.com
Wed Jun 15 18:01:44 UTC 2016


Awesome, I will check that out. Thanks!


*Jordon Carpenter*
Rook Security <https://www.rooksecurity.com/>
*Anticipate, Manage, & Eliminate Threats*

O: 888.712.9531 x734
E: jordon.carpenter at rooksecurity.com

[image: rookconsulting] <https://www.facebook.com/rookconsulting>    [image:
rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
<https://www.linkedin.com/company/rook-security>

[image: Seconds Matter]
<https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a>

This e-mail may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply e-mail and delete all copies of this message

[image: Powered by Sigstr]
<https://rooksecurity.sigstr.net/uc/5702adef825be96deedb141a/watermark>

On Wed, Jun 15, 2016 at 1:55 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> The 'best practices' answer to this is that you should be using an
> indexed full-packet capture solution (like moloch) to review all alerts
> in context.
>
> -Coop
>
> On 6/15/2016 7:37 AM, jordon.carpenter at rooksecurity.com wrote:
> > Team,
> >
> > Need to turn on logging of response events when an alert fires.
> >
> > For example, when the signature ` ET WEB_SERVER Possible SQL Injection
> > Attempt UNION SELECT` fires, we need to log the response after it
> triggers.
> > We need to see what the server response to this request is.
> >
> > I know this can be done via snort, is this possible with suricata?
> >
> > *Thanks,*
> > *Jordon Carpenter*
> > Rook Security <https://www.rooksecurity.com/>
> > *Anticipate, Manage, & Eliminate Threats*
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160615/430cb307/attachment-0002.html>


More information about the Oisf-users mailing list