[Oisf-users] Log packets BEFORE a triggered packet.

Duane Howard duane.security at gmail.com
Fri May 12 15:55:12 UTC 2017 

fwiw our hack for this is:
run stenographer,
run a script that tails Suricata alerts, and request stream from
stenographer.

On Tue, Apr 11, 2017 at 3:14 PM, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Apr 11, 2017 at 11:59 PM, Tom DeCanio <decanio.tom at gmail.com>
> wrote:
> > I picked up an old suricata PR for something called timemachine and
> fixed up
> > the issues that I discovered and got it working.  it does what I believe
> > folks are looking for.  It obviously has limited based on available
> memory
> > on the machine on which this is running.
> >
> > I could resubmit the PR containing my own modifications if people have an
> > interest in this.
> >
>
> Yes please.
>
> > Tom
> >
> > On Tue, Apr 11, 2017 at 1:33 PM Jason Williams
> > <jwilliams at emergingthreats.net> wrote:
> >>
> >> I believe constant full packet capture w/ suri or something such as
> moloch
> >> may be the answer for this.
> >>
> >> I've deployed suri and moloch in tandem for this purpose, until
> >> precognition makes its way to the suricata stack. :)
> >>
> >> Jason
> >>
> >> On Wed, Mar 1, 2017 at 4:41 AM, oleg gv <oagvozd at gmail.com> wrote:
> >>>
> >>>  Hello !
> >>>
> >>> How I can log packets BEFORE the packet that  trgigered a rule ? "Tag"
> >>> rule option can log packets AFTER activation-packet, but I need to log
> >>> BEFORE it.
> >>>
> >>> May be there is a patch for it ?
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >>> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170512/8a9b8333/attachment.html>

More information about the Oisf-users mailing list