[Oisf-users] Log packets BEFORE a triggered packet.

Tom DeCanio decanio.tom at gmail.com
Tue Apr 11 21:59:38 UTC 2017


I picked up an old suricata PR for something called timemachine and fixed
up the issues that I discovered and got it working.  it does what I believe
folks are looking for.  It obviously has limited based on available memory
on the machine on which this is running.

I could resubmit the PR containing my own modifications if people have an
interest in this.

Tom

On Tue, Apr 11, 2017 at 1:33 PM Jason Williams <
jwilliams at emergingthreats.net> wrote:

> I believe constant full packet capture w/ suri or something such as moloch
> may be the answer for this.
>
> I've deployed suri and moloch in tandem for this purpose, until
> precognition makes its way to the suricata stack. :)
>
> Jason
>
> On Wed, Mar 1, 2017 at 4:41 AM, oleg gv <oagvozd at gmail.com> wrote:
>
>  Hello !
>
> How I can log packets BEFORE the packet that  trgigered a rule ? "Tag"
> rule option can log packets AFTER activation-packet, but I need to log
> BEFORE it.
>
> May be there is a patch for it ?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170411/c1f0afae/attachment-0001.html>


More information about the Oisf-users mailing list