Project

General

Profile

Actions

Feature #120

closed

Capture full session on alert

Added by Dave Smith almost 15 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

On alert, snort either captures only the individual packet that hit on a rule, or 'n' number of packets thereafter that you specify with the tag keyword. Investigation of an alert is usually pretty hard with only that one packet, unless you happen to separately be saving all traffic on the wire to disk, and can go and retrieve the relevant pcap from elsewhere manually. Tagging will only get you packets after the alert - if your rule hits a few packets into the session, the previous packets are lost.

It would be great to have the capability to capture an entire session. I previously worked for a large multinational company that had a proprietary, in-house developed IDS that did this. Its engine held a rolling packet buffer of a couple hundred MB of of traffic from the wire that the engine could reach back into, to collect the beginning of the session, and it seemed to work quite well.


Related issues 6 (2 open4 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Task #2219: Save pcap only if alertRejectedActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Bug #5189: Suricata alerts pcap issue ClosedChatak KumarActions
Related to Suricata - Bug #5374: pcap-log: breaking change in file namesClosedJason IshActions
Has duplicate Suricata - Feature #385: Configuration option to log all known (pcap) data for a stream when an alert firesClosedCommunity TicketActions
Actions

Also available in: Atom PDF