Project

General

Profile

Actions

Task #2219

closed

Save pcap only if alert

Added by Marco Mazza over 6 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Hello, I'm trying to figure out how to save a pcap file on alert.
I can't find any bug/doc/manual for this purpouse.
I have a heavy traffic flow being processed by suricata 4.0.0 (30 sec are 1 GB of pcap) so it's quite difficult to save everything.
I don't think BPF would help me, but I could be wrong. I would like to start saving only the packet seen as alert. I already know this could not be useful as the entire pcap, but it would be a nice start for me.
How should I achieve this goal? If it's already possible I could write some documentation to add here.
Many thanks


Related issues 3 (1 open2 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #385: Configuration option to log all known (pcap) data for a stream when an alert firesClosedCommunity TicketActions
Related to Suricata - Feature #120: Capture full session on alertClosedScott JordanActions
Actions #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

This looks similiar to #385 for me. What you could do, you can use the packet info from the eve.json log and convert it back to a normal packet.

Actions #2

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish

I wonder if this could simply be done by adding an option to 'pcap-log' to respect the tag keyword?

I think this ticket is different enough from #385. That ticket is more about logging out in memory stream segments I think.

Actions #3

Updated by Marco Mazza over 6 years ago

What I aske was a little different from #385, even if it says that have to save data "up until and including the data that caused the alert, to disk", which would interest me.
Anyway, I enabled this section:
types:
- alert:
packet: yes # enable dumping of packet (without stream segments)
But is not so easy to manage it, since I have to convert back it. A pcap would be a nice feature. Any other extra, as specified in #385 would be really appreciated.
Many thanks

Actions #4

Updated by Victor Julien over 6 years ago

  • Related to Task #2309: SuriCon 2017 brainstorm added
Actions #5

Updated by Victor Julien over 5 years ago

  • Related to Feature #385: Configuration option to log all known (pcap) data for a stream when an alert fires added
Actions #6

Updated by Andreas Herz over 4 years ago

  • Tracker changed from Feature to Documentation

We will want to have documentation how this can be achieved with external tooling.
We also add, if possible, the directory where the pcap is stored or the filename if possible.
Lastline might have a possible solution for that and will try to contribute.
We will break that into three dedicated tickets.

Actions #7

Updated by Andreas Herz over 4 years ago

  • Related to Feature #120: Capture full session on alert added
Actions #8

Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Jason Ish)
  • Target version deleted (TBD)

I think this is satisfied by the solution we have for #120.

Actions #9

Updated by Victor Julien over 1 year ago

  • Tracker changed from Documentation to Task
  • Status changed from Closed to Rejected

Duplicate of #120.

Actions

Also available in: Atom PDF