Feature #1245: Add "drop-only" and "alert-only" option for pcap-log - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #1245

closed

Add "drop-only" and "alert-only" option for pcap-log

Added by Andreas Herz over 10 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

Difficulty:

Label:

Description

It would be nice to have the pcap files for matching rules instead of the whole traffic passed.

What i want to have ist, that i have a rule that was matched to be logged into fast.log and when i want to analyse it i can just use the suitable pcap file.
It would be also ok to have several matched rules gathered into one pcap file.
But i want to prevent insanely huge pcap files with 99% valid traffic wasting the HDD space.

Is this a valid feature request? And if you think it's not too hard to implement can you point me where i could start to write a patch.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #1245

Add "drop-only" and "alert-only" option for pcap-log

Updated by Victor Julien over 10 years ago

Updated by Victor Julien over 10 years ago

Updated by Andreas Herz over 5 years ago

Updated by Andreas Herz over 1 year ago