Project

General

Profile

Actions
Copy link

Feature #1245

closed

Add "drop-only" and "alert-only" option for pcap-log

Added by Andreas Herz over 9 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:

Description

It would be nice to have the pcap files for matching rules instead of the whole traffic passed.

What i want to have ist, that i have a rule that was matched to be logged into fast.log and when i want to analyse it i can just use the suitable pcap file.
It would be also ok to have several matched rules gathered into one pcap file.
But i want to prevent insanely huge pcap files with 99% valid traffic wasting the HDD space.

Is this a valid feature request? And if you think it's not too hard to implement can you point me where i could start to write a patch.

Actions
Copy link
 #1

Updated by Victor Julien over 9 years ago

  • Assignee set to Anonymous
  • Priority changed from High to Normal
  • Target version changed from 2.0.3 to TBD
Actions
Copy link
 #2

Updated by Victor Julien over 9 years ago

Sure, it'd be a welcome contribution.

Actions
Copy link
 #3

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link
 #4

Updated by Andreas Herz 11 months ago

  • Status changed from New to Closed

now available with conditional pcap

Actions
Copy link

Also available in: Atom PDF