Configuration option to log all known (pcap) data for a stream when an alert fires
This is a request to be able to configure Suricata to log as much of a stream that it can leading up to an alert. For example, if an alert is generated, this configuration directive would tell Suricata to log as much of the stream that it knows about (e.g. what is in memory) up until and including the data that caused the alert, to disk. Data after an alert can be set by tagging directives but I think it would be handy to be able to configure Suricata to log all traffic it has in memory for a stream that generates an alert. Logging of network data would of course be in libpcap format (see also Feature #384 -- https://redmine.openinfosecfoundation.org/issues/384).
Updated by Victor Julien almost 7 years ago
- Assignee set to OISF Dev
- Priority changed from Low to Normal
- Target version set to TBD
In case of an alert generated based on the application layer state (e.g. HTTP), this is already what we do in Unified2. For raw stream alerts we can probably try to do that as well.