Task #2219
closedSave pcap only if alert
Description
Hello, I'm trying to figure out how to save a pcap file on alert.
I can't find any bug/doc/manual for this purpouse.
I have a heavy traffic flow being processed by suricata 4.0.0 (30 sec are 1 GB of pcap) so it's quite difficult to save everything.
I don't think BPF would help me, but I could be wrong. I would like to start saving only the packet seen as alert. I already know this could not be useful as the entire pcap, but it would be a nice start for me.
How should I achieve this goal? If it's already possible I could write some documentation to add here.
Many thanks
Updated by Andreas Herz about 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
This looks similiar to #385 for me. What you could do, you can use the packet info from the eve.json log and convert it back to a normal packet.
Updated by Victor Julien about 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
I wonder if this could simply be done by adding an option to 'pcap-log' to respect the tag keyword?
I think this ticket is different enough from #385. That ticket is more about logging out in memory stream segments I think.
Updated by Marco Mazza about 7 years ago
What I aske was a little different from #385, even if it says that have to save data "up until and including the data that caused the alert, to disk", which would interest me.
Anyway, I enabled this section:
types:
- alert:
packet: yes # enable dumping of packet (without stream segments)
But is not so easy to manage it, since I have to convert back it. A pcap would be a nice feature. Any other extra, as specified in #385 would be really appreciated.
Many thanks
Updated by Victor Julien almost 7 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien over 6 years ago
- Related to Feature #385: Configuration option to log all known (pcap) data for a stream when an alert fires added
Updated by Andreas Herz about 5 years ago
- Tracker changed from Feature to Documentation
We will want to have documentation how this can be achieved with external tooling.
We also add, if possible, the directory where the pcap is stored or the filename if possible.
Lastline might have a possible solution for that and will try to contribute.
We will break that into three dedicated tickets.
Updated by Andreas Herz about 5 years ago
- Related to Feature #120: Capture full session on alert added
Updated by Victor Julien over 2 years ago
- Status changed from Assigned to Closed
- Assignee deleted (
Jason Ish) - Target version deleted (
TBD)
I think this is satisfied by the solution we have for #120.
Updated by Victor Julien almost 2 years ago
- Tracker changed from Documentation to Task
- Status changed from Closed to Rejected
Duplicate of #120.