Project

General

Profile

Actions
Copy link

Feature #811

closed

Pcap extract of matching pattern.

Added by Than Atos almost 11 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
Difficulty:
Label:

Description

As Snort does :) It will be nice to have a possiblity to extract a pcap file containing the session for a matching rule.

Of course it could be possible by after to extract the desired session with any tools from a full pcap. But on high loaded line this solution is unusable (Adding to this, murphy tells you that you are always in the middle of two pcap files.

On Snort this feature is activated on a rule by the syntax : "tag:" http://manual.snort.org/node34.html#SECTION00475000000000000000

It's usefull also to see all the flow from a malware to a CC with only a rule matching on the malware heartbeat. Even simply see the full request headers part in a big matching http post.

Actions
Copy link
 #1

Updated by Victor Julien almost 11 years ago

We support the tag keyword and through our unified2 output Barnyard2 will be able to turn this into a pcap. I think this is pretty similar to what Snort does.

Actions
Copy link
 #2

Updated by Than Atos almost 11 years ago

I had tried, seems to work in unified2

Actions
Copy link
 #3

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions
Copy link
 #4

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
Actions
Copy link
 #5

Updated by Andreas Herz almost 7 years ago

  • Status changed from New to Closed

looks solved

Actions
Copy link
 #6

Updated by Victor Julien over 6 years ago

  • Target version deleted (TBD)
Actions
Copy link

Also available in: Atom PDF