Project

General

Profile

Actions
Copy link

Feature #2233

closed

Allow log for payload and packet only for defined sid

Added by Suk Jeong Lee over 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Hello team,

Suricata config file having a feature for logging for all payload and packet, but does not have a feature for only defined sids.

  1. payload: yes # enable dumping payload in Base64
  2. payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
  3. payload-printable: yes # enable dumping payload in printable (lossy) format
  4. packet: yes # enable dumping of packet (without stream segments)

Can we have a feature logging payload and packet only defined sids?

Thanks,

Actions
Copy link
 #1

Updated by Andreas Herz over 6 years ago

  • Assignee changed from Victor Julien to OISF Dev
  • Target version set to TBD

So you want to have a list of sids that should be relevant for that logging and skip all the others for that part of the logging? I would implement it either as some keyword or as a dedicated file like threshold.config. Postprocessing is no solution for you to filter them?

Actions
Copy link
 #2

Updated by Andreas Herz about 5 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF