[Oisf-users] Packet Capture

Cooper F. Nelson cnelson at ucsd.edu
Thu Jun 29 19:38:47 UTC 2017 

Couple general comments about FPC.

If you are interested in capturing *everything* for either a specific IP
or interface, I would suggest using a dedicated solution like moloch.
It supports bpf filters if you only want to monitor a few hosts.

For 'http' alerts, you can disable stream tracking depth and store the
content associated associated with the request using the 'filestore'
keyword:

> http://suricata.readthedocs.io/en/latest/search.html?q=filestore&check_keywords=yes&area=default

Thinking about it, I think there is a solution that would work for you.

1.  Setup pcap logging, with enough space for maybe an hour of full
packet capture @peak load.

2.  Setup a log watcher (via cron or something else) to monitor the fast
alert file for the alerts in question.

3.  When you catch one, start a sleep timer for however many
seconds/minutes of traffic you want to capture.  Then either just
archive the pcap captures from that time window (if you want
everything), or use tcpdump to extract the flows you want from the files
via bpf filter.

If I was doing something like this I would probably keep it simple and
use a tmpfs partition (to avoid IO issues) configured to keep maybe five
minutes of full packet capture.  When an "interesting" alert fired I
would have a script merge all the pcap files to single archive on disk
and then gzip it.

-Coop

On 6/29/2017 12:09 PM, Justin Pederson wrote:
> Is there a way with Suricata to start a full pcap on an interface for
> the entire interface or specific IP based on an alert from the IDS?
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170629/ee2a88bd/attachment-0002.sig>

More information about the Oisf-users mailing list