[Oisf-users] Dump gzipped content

Davide Setti d.setti at certego.net
Wed Oct 24 13:21:19 UTC 2018


Ok,
was looking for both, just to know that I can swith from one to the other
as need.

Thank you!

Il giorno mer 24 ott 2018 alle ore 15:19 Peter Manev <petermanev at gmail.com>
ha scritto:

>
>
> On Wed, Oct 24, 2018 at 3:17 PM Davide Setti <d.setti at certego.net> wrote:
>
>> Thank you Peter,
>>
>> I missed that line.
>> Also found this
>> https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L147 .
>> Both should work in the same way, is this right?
>>
>>
> That one is related to alerts only.
>
>
>> Thanks,
>> Davide
>>
>> Il giorno mer 24 ott 2018 alle ore 15:03 Peter Manev <
>> petermanev at gmail.com> ha scritto:
>>
>>>
>>>
>>> On Wed, Oct 24, 2018 at 2:41 PM Davide Setti <d.setti at certego.net>
>>> wrote:
>>>
>>>> Maybe I should also tell that I can not enable Full Packet Capture.
>>>>
>>>> Was just wondering if it is possible to log che content of internal
>>>> buffers used by sucircata (which should be able to decode the gzipped
>>>> content and analyze it).
>>>>
>>>>
>>> You mean  - like dump it on disk/log? (not just the one from the alerts
>>> ?)
>>> I haven't tried this in a while but maybe it is what you need -
>>> https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L552  ?
>>>
>>>
>>>> Thanks,
>>>> Davide
>>>> Il giorno mer 24 ott 2018 alle ore 14:30 Kevin Geil <
>>>> info at friendandfamilytech.com> ha scritto:
>>>>
>>>>> If you have full packet captures, you can filter out the traffic you
>>>>> need, then "follow tcp stream" in Wireshark. You can try this with a single
>>>>> packet, but it might not be enough data.
>>>>>
>>>>> Kevin
>>>>>
>>>>
>>>>
>>>> --
>>>> <http://www.certego.net/>
>>>> Davide Setti
>>>> R&D and Incident Response Team, Certego
>>>> <http://www.linkedin.com/company/certego>
>>>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>>>> <http://www.youtube.com/CERTEGOsrl>
>>>> <http://plus.google.com/117641917176532015312>
>>>> Use of the information within this document constitutes acceptance for
>>>> use in an "as is" condition. There are no warranties with regard to this
>>>> information; Certego has verified the data as thoroughly as possible. Any
>>>> use of this information lies within the user's responsibility. In no event
>>>> shall Certego be liable for any consequences or damages, including direct,
>>>> indirect, incidental, consequential, loss of business profits or special
>>>> damages, arising out of or in connection with the use or spread of this
>>>> information.
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>>
>> --
>> <http://www.certego.net/>
>> Davide Setti
>> R&D and Incident Response Team, Certego
>> <http://www.linkedin.com/company/certego>
>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>> <http://www.youtube.com/CERTEGOsrl>
>> <http://plus.google.com/117641917176532015312>
>> Use of the information within this document constitutes acceptance for
>> use in an "as is" condition. There are no warranties with regard to this
>> information; Certego has verified the data as thoroughly as possible. Any
>> use of this information lies within the user's responsibility. In no event
>> shall Certego be liable for any consequences or damages, including direct,
>> indirect, incidental, consequential, loss of business profits or special
>> damages, arising out of or in connection with the use or spread of this
>> information.
>>
>
>
> --
> Regards,
> Peter Manev
>


-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181024/fa9ef9b5/attachment.html>


More information about the Oisf-users mailing list