[Oisf-users] Log packets BEFORE a triggered packet.
Tom DeCanio
decanio.tom at gmail.com
Tue Apr 11 21:59:38 UTC 2017
I picked up an old suricata PR for something called timemachine and fixed
up the issues that I discovered and got it working. it does what I believe
folks are looking for. It obviously has limited based on available memory
on the machine on which this is running.
I could resubmit the PR containing my own modifications if people have an
interest in this.
Tom
On Tue, Apr 11, 2017 at 1:33 PM Jason Williams <
jwilliams at emergingthreats.net> wrote:
> I believe constant full packet capture w/ suri or something such as moloch
> may be the answer for this.
>
> I've deployed suri and moloch in tandem for this purpose, until
> precognition makes its way to the suricata stack. :)
>
> Jason
>
> On Wed, Mar 1, 2017 at 4:41 AM, oleg gv <oagvozd at gmail.com> wrote:
>
> Hello !
>
> How I can log packets BEFORE the packet that trgigered a rule ? "Tag"
> rule option can log packets AFTER activation-packet, but I need to log
> BEFORE it.
>
> May be there is a patch for it ?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170411/c1f0afae/attachment-0001.html>
More information about the Oisf-users
mailing list