Task #2219
closed
Added by Marco Mazza about 7 years ago.
Updated about 2 years ago.
Description
Hello, I'm trying to figure out how to save a pcap file on alert.
I can't find any bug/doc/manual for this purpouse.
I have a heavy traffic flow being processed by suricata 4.0.0 (30 sec are 1 GB of pcap) so it's quite difficult to save everything.
I don't think BPF would help me, but I could be wrong. I would like to start saving only the packet seen as alert. I already know this could not be useful as the entire pcap, but it would be a nice start for me.
How should I achieve this goal? If it's already possible I could write some documentation to add here.
Many thanks
- Assignee set to OISF Dev
- Target version set to TBD
This looks similiar to #385 for me. What you could do, you can use the packet info from the eve.json log and convert it back to a normal packet.
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
I wonder if this could simply be done by adding an option to 'pcap-log' to respect the tag keyword?
I think this ticket is different enough from #385. That ticket is more about logging out in memory stream segments I think.
What I aske was a little different from #385, even if it says that have to save data "up until and including the data that caused the alert, to disk", which would interest me.
Anyway, I enabled this section:
types:
- alert:
packet: yes # enable dumping of packet (without stream segments)
But is not so easy to manage it, since I have to convert back it. A pcap would be a nice feature. Any other extra, as specified in #385 would be really appreciated.
Many thanks
- Related to Task #2309: SuriCon 2017 brainstorm added
- Related to Feature #385: Configuration option to log all known (pcap) data for a stream when an alert fires added
- Tracker changed from Feature to Documentation
We will want to have documentation how this can be achieved with external tooling.
We also add, if possible, the directory where the pcap is stored or the filename if possible.
Lastline might have a possible solution for that and will try to contribute.
We will break that into three dedicated tickets.
- Related to Feature #120: Capture full session on alert added
- Status changed from Assigned to Closed
- Assignee deleted (
Jason Ish)
- Target version deleted (
TBD)
I think this is satisfied by the solution we have for #120.
- Tracker changed from Documentation to Task
- Status changed from Closed to Rejected
Also available in: Atom
PDF