[Oisf-users] pcap of alerts only
Andreas Moe
moe.andreas at gmail.com
Fri Jun 24 06:31:15 UTC 2016
Enabeling "payload" or "packet" in the Eve log will also give access to the
content, if this is needed in PCAP format i know that Jason Ish has done
some work on this:
https://blog.jasonish.org/2015/10/01/eve2pcap-eve-packet-and-payload-conversion-to-pcap/
fre. 24. jun. 2016 kl. 08.01 skrev Cooper F. Nelson <cnelson at ucsd.edu>:
> Use the unified2 alerts and then extract the pcaps from them.
>
> Something like this...
>
> > find unified2.alert.* -mmin -5 -exec u2boat -t pcap {} /tmp/{}.pcap \;
>
>
> On 6/23/2016 6:47 PM, SiNA wrote:
> > Hi!
> >
> > How can I save pcap files of only the alerts generated rather than
> > logging pcaps of all of the traffic passing through?
> >
> > All the best,
> > Sina
> >
> > --
> > SiNA
> > PGP: 0x0B47D56D
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160624/14350562/attachment-0002.html>
More information about the Oisf-users
mailing list