Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
I’ve tried a couple of different versions of Suricata 7.0, on Mac and Ubuntu.
Hi
I’ve been trying to just get Suricata working with a rule whereby when a signature is fired, just the offending packet is logged.
My suricata.yaml looks like;
then in my rule i have;
metadata: tag;
however this seems to log all packets in the flow from when the rule is fired, not the single packet.
I wondered if anyone had any sucess with getting this working, or if I’m missing something ?
many thanks
vjulien
(Victor Julien)
2
This is meant to be used with the tag keyword, which turns out to be undocumented.
I’ve started doing that here:
Thanks - I’ll check this out and get back to you.
Hi Victor
Ok, this is lovely - exactly what I wanted;
Just a few nits/clarifications;
-
There no details of direction, wasn’t sure if you could also have ‘both’ ?
-
I have two signatures that fire on a flow, each logs 20 packets, this is per direction. I found that it would then log a total of 40 packets.
If there’s anything that I can do to help document let me know.
Thanks again for this, it’s awesome !
cheers