Project

General

Profile

Actions
Copy link

Task #2219

closed
MM

Save pcap only if alert

Task #2219: Save pcap only if alert

Added by Marco Mazza over 8 years ago. Updated over 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Hello, I'm trying to figure out how to save a pcap file on alert.
I can't find any bug/doc/manual for this purpouse.
I have a heavy traffic flow being processed by suricata 4.0.0 (30 sec are 1 GB of pcap) so it's quite difficult to save everything.
I don't think BPF would help me, but I could be wrong. I would like to start saving only the packet seen as alert. I already know this could not be useful as the entire pcap, but it would be a nice start for me.
How should I achieve this goal? If it's already possible I could write some documentation to add here.
Many thanks

Related issues 3 (1 open2 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #385: Configuration option to log all known (pcap) data for a stream when an alert firesClosedCommunity TicketActions
Related to Suricata - Feature #120: Capture full session on alertClosedScott JordanActions
Actions
Copy link

Also available in: PDF Atom