[Oisf-users] pcap of alerts only
Cooper F. Nelson
cnelson at ucsd.edu
Fri Jun 24 06:01:13 UTC 2016
Use the unified2 alerts and then extract the pcaps from them.
Something like this...
> find unified2.alert.* -mmin -5 -exec u2boat -t pcap {} /tmp/{}.pcap \;
On 6/23/2016 6:47 PM, SiNA wrote:
> Hi!
>
> How can I save pcap files of only the alerts generated rather than
> logging pcaps of all of the traffic passing through?
>
> All the best,
> Sina
>
> --
> SiNA
> PGP: 0x0B47D56D
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160623/a75ab69d/attachment-0002.sig>
More information about the Oisf-users
mailing list