[Oisf-users] Record traffic as soon as a thread is detected
Jean-Michel Pouré
jm at poure.com
Thu Sep 28 19:58:51 UTC 2017
Dear all,
I am a newcomer in the community and would like to thank you for the
hard work on suricata.
After first use on my local network, I detected a Ransomeware tracker
stream to IP 209.99.40.222. My logs are enough precise to know where
this 209.99.40.222 comes from. In the future, I will set up a Syslog
central server and make extensive recording of IPs and proxy activity.
This IP might be a false positive, but I would like to enquire more.
Is there a way to trigger packet recording as soon as a (precise)
threat is detected. I am planning to copy all traffic to port 24 of my
switch and listen/record silently all traffic. But this can be huge
traffic ...
So is there way to trigger pcap traffic sniffing/recording as soon as a
threat is detected? Or is there a way to record all traffic
continuously and keep only traffic when a treat is detected?
More generally, what kind of tool except a syslog server to you use to
study attacks (sorry for this general question) and record traffic in a
smart way?
Sorry for those big questions ...
Kind regards,
Kellogs
More information about the Oisf-users
mailing list