[Oisf-users] Dump gzipped content
Peter Manev
petermanev at gmail.com
Wed Oct 24 13:19:33 UTC 2018
On Wed, Oct 24, 2018 at 3:17 PM Davide Setti <d.setti at certego.net> wrote:
> Thank you Peter,
>
> I missed that line.
> Also found this
> https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L147 . Both
> should work in the same way, is this right?
>
>
That one is related to alerts only.
> Thanks,
> Davide
>
> Il giorno mer 24 ott 2018 alle ore 15:03 Peter Manev <petermanev at gmail.com>
> ha scritto:
>
>>
>>
>> On Wed, Oct 24, 2018 at 2:41 PM Davide Setti <d.setti at certego.net> wrote:
>>
>>> Maybe I should also tell that I can not enable Full Packet Capture.
>>>
>>> Was just wondering if it is possible to log che content of internal
>>> buffers used by sucircata (which should be able to decode the gzipped
>>> content and analyze it).
>>>
>>>
>> You mean - like dump it on disk/log? (not just the one from the alerts ?)
>> I haven't tried this in a while but maybe it is what you need -
>> https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L552 ?
>>
>>
>>> Thanks,
>>> Davide
>>> Il giorno mer 24 ott 2018 alle ore 14:30 Kevin Geil <
>>> info at friendandfamilytech.com> ha scritto:
>>>
>>>> If you have full packet captures, you can filter out the traffic you
>>>> need, then "follow tcp stream" in Wireshark. You can try this with a single
>>>> packet, but it might not be enough data.
>>>>
>>>> Kevin
>>>>
>>>
>>>
>>> --
>>> <http://www.certego.net/>
>>> Davide Setti
>>> R&D and Incident Response Team, Certego
>>> <http://www.linkedin.com/company/certego>
>>> <http://twitter.com/Certego_IRT> <http://github.com/certego>
>>> <http://www.youtube.com/CERTEGOsrl>
>>> <http://plus.google.com/117641917176532015312>
>>> Use of the information within this document constitutes acceptance for
>>> use in an "as is" condition. There are no warranties with regard to this
>>> information; Certego has verified the data as thoroughly as possible. Any
>>> use of this information lies within the user's responsibility. In no event
>>> shall Certego be liable for any consequences or damages, including direct,
>>> indirect, incidental, consequential, loss of business profits or special
>>> damages, arising out of or in connection with the use or spread of this
>>> information.
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT> <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181024/5fbc9628/attachment-0001.html>
More information about the Oisf-users
mailing list