[Oisf-users] Record traffic as soon as a thread is detected

Francis Trudeau ftrudeau at emergingthreats.net
Thu Sep 28 22:18:24 UTC 2017


For the record, that IP is a true positive:

https://ransomwaretracker.abuse.ch/ip/209.99.40.222/





On Thu, Sep 28, 2017 at 1:58 PM, Jean-Michel Pouré <jm at poure.com> wrote:
> Dear all,
>
> I am a newcomer in the community and would like to thank you for the
> hard work on suricata.
>
> After first use on my local network, I detected a Ransomeware tracker
> stream to IP 209.99.40.222. My logs are enough precise to know where
> this 209.99.40.222 comes from. In the future, I will set up a Syslog
> central server and make extensive recording of IPs and proxy activity.
>
> This IP might be a false positive, but I would like to enquire more.
>
> Is there a way to trigger packet recording as soon as a (precise)
> threat is detected. I am planning to copy all traffic to port 24 of my
> switch and listen/record silently all traffic. But this can be huge
> traffic ...
>
> So is there way to trigger pcap traffic sniffing/recording as soon as a
> threat is detected? Or is there a way to record all traffic
> continuously and keep only traffic when a treat is detected?
>
> More generally, what kind of tool except a syslog server to you use to
> study attacks (sorry for this general question) and record traffic in a
> smart way?
>
> Sorry for those big questions ...
>
> Kind regards,
> Kellogs
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list