Hi,
Wonder if suricata can be configured to only capture the first packet of each new connection and possibly ignore responses?
many thanks
Darrin
In theory yes, but it’s not a simple switch. You could set stream depth very very low for example.
Possibly you can also try the following rules:
alert ip any any -> any any (msg: "Packet!"; flow: to_server; bypass; sid: 999; rev:1;)
alert ip any any -> any any (msg: "Packet!"; flow: to_client; bypass; sid: 998; rev:1;)
You can either create a new ruleset file if you are not interested in an inspection of the first packets or you can simply add them to the existing ruleset file (e.g. ET Open).