[Oisf-users] Suricata response events

Duane Howard duane.security at gmail.com
Thu Jun 16 20:32:14 UTC 2016


shameless plug for stenographer as a solution for FPC here too:
https://github.com/google/stenographer

for a short term hack you could also use the tag:session,60,seconds or
similar to get the full stream content for rules you want?

On Wed, Jun 15, 2016 at 12:05 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> I never got around to doing it, but Moloch use ELK as it's front end, so
> it's easy to integrate it with other tools.  You can build queries via a
> single http request.
>
> So something you could do would be to have a cron job watch the text
> logs for events, scrape events you are interested in, turn them in a
> moloch url and then email them to a SOC handler.  Then they can see the
> alert and then just click the link to see IP conversation in context.
>
> -Coop
>
> On 6/15/2016 11:01 AM, Jordon Carpenter wrote:
> > Awesome, I will check that out. Thanks!
> >
> >
> > *Jordon Carpenter*
> > Rook Security <https://www.rooksecurity.com/>
> > *Anticipate, Manage, & Eliminate Threats*
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160616/3a74b536/attachment-0002.html>


More information about the Oisf-users mailing list