[Oisf-users] Relating packets to alerts
Peter Manev
petermanev at gmail.com
Fri Mar 29 13:27:41 UTC 2019
On Thu, Mar 28, 2019 at 6:58 PM Luis Escamilla <luis at cyberopsec.com.mx> wrote:
>
> I would like to create a pcap file of the flow that fired the alert from the tagged packets, but I'm having trouble identifying which packets correspond to a certain alert
>
It is normal/ok for a single flow to generate multiple records or
alerts - not just one.
>
> On 3/28/19, 7:34 AM, "jt" <jtfas90 at gmail.com> wrote:
>
> Are you looking for the specific packet number in a given flow that
> fired an alert(s)?
>
> JT
>
> On Wed, 2019-03-27 at 20:27 +0000, Luis Escamilla wrote:
> > Is it possible to identify in an eve log which of the tagged packets
> > correspond to certain alert? I have been doing it by flow id, but
> > many times, the flow id is related to multiple alerts
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list