[Oisf-users] Record traffic as soon as a thread is detected
jm at poure.com
Thu Sep 28 19:58:51 UTC 2017
I am a newcomer in the community and would like to thank you for the
hard work on suricata.
After first use on my local network, I detected a Ransomeware tracker
stream to IP 188.8.131.52. My logs are enough precise to know where
this 184.108.40.206 comes from. In the future, I will set up a Syslog
central server and make extensive recording of IPs and proxy activity.
This IP might be a false positive, but I would like to enquire more.
Is there a way to trigger packet recording as soon as a (precise)
threat is detected. I am planning to copy all traffic to port 24 of my
switch and listen/record silently all traffic. But this can be huge
So is there way to trigger pcap traffic sniffing/recording as soon as a
threat is detected? Or is there a way to record all traffic
continuously and keep only traffic when a treat is detected?
More generally, what kind of tool except a syslog server to you use to
study attacks (sorry for this general question) and record traffic in a
Sorry for those big questions ...
More information about the Oisf-users