[Oisf-users] Record traffic as soon as a thread is detected

Jean-Michel Pouré jm at poure.com
Thu Sep 28 19:58:51 UTC 2017

Dear all,

I am a newcomer in the community and would like to thank you for the
hard work on suricata. 

After first use on my local network, I detected a Ransomeware tracker
stream to IP My logs are enough precise to know where
this comes from. In the future, I will set up a Syslog
central server and make extensive recording of IPs and proxy activity.

This IP might be a false positive, but I would like to enquire more. 

Is there a way to trigger packet recording as soon as a (precise)
threat is detected. I am planning to copy all traffic to port 24 of my
switch and listen/record silently all traffic. But this can be huge
traffic ...

So is there way to trigger pcap traffic sniffing/recording as soon as a
threat is detected? Or is there a way to record all traffic
continuously and keep only traffic when a treat is detected?

More generally, what kind of tool except a syslog server to you use to
study attacks (sorry for this general question) and record traffic in a
smart way?

Sorry for those big questions ...

Kind regards,

More information about the Oisf-users mailing list