[Oisf-users] logging packets on alerts only

Jeff Dyke jeff.dyke at gmail.com
Tue Oct 31 19:55:35 UTC 2017


hmmm, i remember why i backed off that approach now(user error), that's a
bit embarrassing, for my needs currently enabling that via the alert eve
logs should get me through.  These alerts are likely more of a question of
service/server misconfiguration than an attack vector, so the volume is
low, severity is low and only on one server.



On Tue, Oct 31, 2017 at 2:42 PM, Jeremy MJ <jskier at gmail.com> wrote:

> You could also extract payload and packet data and decode it out of
> the eve alert logs too. Jeff's suggestion would be more polished and
> streamlined, probably the best way to go.
>
> --
> Jeremy MJ
>
> On Tue, Oct 31, 2017 at 1:07 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:
> >
> > Thanks Cooper, that seems like the bit i was missing, as expected it was
> right in front of me.  I'll try that out.
> >
> > Thanks again,
> > Jeff
> >
> > On Tue, Oct 31, 2017 at 1:04 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> >>
> >> Enabled the Unified2 logging and then extract the pcaps with u2boat
> (ships with snort).
> >>
> >> -Coop
> >>
> >> On 10/31/2017 7:42 AM, Jeff Dyke wrote:
> >>
> >> I've read the docs regarding pcap.log, but was curious if i could log
> only packets that generate an alert (not a drop). I may have missed
> something in the eve configuration. It would not be the end of the world to
> use pcap, but wanted to make sure i wasn't missing something obvious.
> >>
> >> Thanks!
> >>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> >> List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >>
> >> Conference: https://suricon.net
> >> Trainings: https://suricata-ids.org/training/
> >>
> >>
> >> --
> >> Cooper Nelson
> >> Network Security Analyst
> >> UCSD ITS Security Team
> >> cnelson at ucsd.edu x41042
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171031/f6fcb6c8/attachment-0002.html>


More information about the Oisf-users mailing list