[Oisf-users] logging packets on alerts only
Jeremy MJ
jskier at gmail.com
Tue Oct 31 18:42:48 UTC 2017
You could also extract payload and packet data and decode it out of
the eve alert logs too. Jeff's suggestion would be more polished and
streamlined, probably the best way to go.
--
Jeremy MJ
On Tue, Oct 31, 2017 at 1:07 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:
>
> Thanks Cooper, that seems like the bit i was missing, as expected it was right in front of me. I'll try that out.
>
> Thanks again,
> Jeff
>
> On Tue, Oct 31, 2017 at 1:04 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>
>> Enabled the Unified2 logging and then extract the pcaps with u2boat (ships with snort).
>>
>> -Coop
>>
>> On 10/31/2017 7:42 AM, Jeff Dyke wrote:
>>
>> I've read the docs regarding pcap.log, but was curious if i could log only packets that generate an alert (not a drop). I may have missed something in the eve configuration. It would not be the end of the world to use pcap, but wanted to make sure i wasn't missing something obvious.
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>>
>> --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list