[Oisf-users] Log packets BEFORE a triggered packet.

Peter Manev petermanev at gmail.com
Tue Apr 11 22:14:40 UTC 2017


On Tue, Apr 11, 2017 at 11:59 PM, Tom DeCanio <decanio.tom at gmail.com> wrote:
> I picked up an old suricata PR for something called timemachine and fixed up
> the issues that I discovered and got it working.  it does what I believe
> folks are looking for.  It obviously has limited based on available memory
> on the machine on which this is running.
>
> I could resubmit the PR containing my own modifications if people have an
> interest in this.
>

Yes please.

> Tom
>
> On Tue, Apr 11, 2017 at 1:33 PM Jason Williams
> <jwilliams at emergingthreats.net> wrote:
>>
>> I believe constant full packet capture w/ suri or something such as moloch
>> may be the answer for this.
>>
>> I've deployed suri and moloch in tandem for this purpose, until
>> precognition makes its way to the suricata stack. :)
>>
>> Jason
>>
>> On Wed, Mar 1, 2017 at 4:41 AM, oleg gv <oagvozd at gmail.com> wrote:
>>>
>>>  Hello !
>>>
>>> How I can log packets BEFORE the packet that  trgigered a rule ? "Tag"
>>> rule option can log packets AFTER activation-packet, but I need to log
>>> BEFORE it.
>>>
>>> May be there is a patch for it ?
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list