Feature #811: Pcap extract of matching pattern. - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #811

closed

Pcap extract of matching pattern.

Added by Than Atos almost 11 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

Effort:

Difficulty:

Label:

Description

As Snort does :) It will be nice to have a possiblity to extract a pcap file containing the session for a matching rule.

Of course it could be possible by after to extract the desired session with any tools from a full pcap. But on high loaded line this solution is unusable (Adding to this, murphy tells you that you are always in the middle of two pcap files.

On Snort this feature is activated on a rule by the syntax : "tag:" http://manual.snort.org/node34.html#SECTION00475000000000000000

It's usefull also to see all the flow from a malware to a CC with only a rule matching on the malware heartbeat. Even simply see the full request headers part in a big matching http post.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #811

Pcap extract of matching pattern.

Updated by Victor Julien almost 11 years ago

Updated by Than Atos almost 11 years ago

Updated by Victor Julien over 10 years ago

Updated by Andreas Herz over 8 years ago

Updated by Andreas Herz about 7 years ago

Updated by Victor Julien over 6 years ago