Feature #811
closedPcap extract of matching pattern.
Description
As Snort does :) It will be nice to have a possiblity to extract a pcap file containing the session for a matching rule.
Of course it could be possible by after to extract the desired session with any tools from a full pcap. But on high loaded line this solution is unusable (Adding to this, murphy tells you that you are always in the middle of two pcap files.
On Snort this feature is activated on a rule by the syntax : "tag:" http://manual.snort.org/node34.html#SECTION00475000000000000000
It's usefull also to see all the flow from a malware to a CC with only a rule matching on the malware heartbeat. Even simply see the full request headers part in a big matching http post.
VJ Updated by Victor Julien almost 13 years ago
We support the tag keyword and through our unified2 output Barnyard2 will be able to turn this into a pcap. I think this is pretty similar to what Snort does.
TA Updated by Than Atos almost 13 years ago
I had tried, seems to work in unified2
VJ Updated by Victor Julien over 12 years ago
- Target version set to TBD
AH Updated by Andreas Herz over 10 years ago
- Assignee set to OISF Dev
AH Updated by Andreas Herz almost 9 years ago
- Status changed from New to Closed
looks solved
VJ Updated by Victor Julien over 8 years ago
- Target version deleted (
TBD)