[Oisf-users] Record traffic as soon as a thread is detected

Cooper F. Nelson cnelson at ucsd.edu
Thu Sep 28 22:19:19 UTC 2017

On 9/28/2017 12:58 PM, Jean-Michel Pouré wrote:
> Is there a way to trigger packet recording as soon as a (precise)
> threat is detected. I am planning to copy all traffic to port 24 of my
> switch and listen/record silently all traffic. But this can be huge
> traffic ...
Not in a generic sense.  You can use the 'filestore' to store HTTP files
associated with a specific http sig, however.
> So is there way to trigger pcap traffic sniffing/recording as soon as a
> threat is detected? Or is there a way to record all traffic
> continuously and keep only traffic when a treat is detected?

Theoretically yes.  You do something like keep 15 minutes worth of pcaps
and then extract the flow from them using a script and tcpdump. 

> More generally, what kind of tool except a syslog server to you use to
> study attacks (sorry for this general question) and record traffic in a
> smart way?


Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170928/d6c093db/attachment-0002.sig>

More information about the Oisf-users mailing list