Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
I’ve tried a couple of different versions of Suricata 7.0, on Mac and Ubuntu.
Hi
I’ve been trying to just get Suricata working with a rule whereby when a signature is fired, just the offending packet is logged.
My suricata.yaml looks like;
-
pcap-log:
enabled: yes
filename: log.pcapconditional: tag
then in my rule i have;
metadata: tag;
however this seems to log all packets in the flow from when the rule is fired, not the single packet.
I wondered if anyone had any sucess with getting this working, or if I’m missing something ?
many thanks