[Oisf-users] Dump gzipped content

Peter Manev petermanev at gmail.com
Wed Oct 24 13:03:14 UTC 2018 

On Wed, Oct 24, 2018 at 2:41 PM Davide Setti <d.setti at certego.net> wrote:

> Maybe I should also tell that I can not enable Full Packet Capture.
>
> Was just wondering if it is possible to log che content of internal
> buffers used by sucircata (which should be able to decode the gzipped
> content and analyze it).
>
>
You mean  - like dump it on disk/log? (not just the one from the alerts ?)
I haven't tried this in a while but maybe it is what you need -
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L552  ?


> Thanks,
> Davide
> Il giorno mer 24 ott 2018 alle ore 14:30 Kevin Geil <
> info at friendandfamilytech.com> ha scritto:
>
>> If you have full packet captures, you can filter out the traffic you
>> need, then "follow tcp stream" in Wireshark. You can try this with a single
>> packet, but it might not be enough data.
>>
>> Kevin
>>
>
>
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181024/364b3ab5/attachment-0001.html>

More information about the Oisf-users mailing list