Feature #385
closed
Configuration option to log all known (pcap) data for a stream when an alert fires
Added by David Wharton about 13 years ago.
Updated about 5 years ago.
Description
This is a request to be able to configure Suricata to log as much of a stream that it can leading up to an alert. For example, if an alert is generated, this configuration directive would tell Suricata to log as much of the stream that it knows about (e.g. what is in memory) up until and including the data that caused the alert, to disk. Data after an alert can be set by tagging directives but I think it would be handy to be able to configure Suricata to log all traffic it has in memory for a stream that generates an alert. Logging of network data would of course be in libpcap format (see also Feature #384 -- https://redmine.openinfosecfoundation.org/issues/384).
- Assignee set to OISF Dev
- Priority changed from Low to Normal
- Target version set to TBD
In case of an alert generated based on the application layer state (e.g. HTTP), this is already what we do in Unified2. For raw stream alerts we can probably try to do that as well.
- Related to Task #2309: SuriCon 2017 brainstorm added
- Related to Feature #120: Capture full session on alert added
- Related to Task #2219: Save pcap only if alert added
- Assignee changed from OISF Dev to Maurizio Abba
- Related to Task #2685: SuriCon 2018 brainstorm added
Hi Maurizio, are you still planning to submit a PR for this?
- Assignee changed from Maurizio Abba to Community Ticket
- Status changed from New to Closed
Issue #120 is the same but less specific
- Related to deleted (Feature #120: Capture full session on alert)
- Is duplicate of Feature #120: Capture full session on alert added
Also available in: Atom
PDF