Hi
I want to log alert/session into a pcap if a alert is triggered on a session/packet.
How can I do it
Hi,
There is development work in progress to do this – see Pcap conditional v2.2.12 by scottfgjordan · Pull Request #6766 · OISF/suricata · GitHub
We expect this work to be included in Suricata 7 if it’s completed in time.
Until we do have that feature, the payload logging is quite useful. Its base64, but if you can decode it can give you a lot of extra context.
Was about to create a thread for this feature and came across this thread, tried to track down this through the github link above but I couldn’t figure out if this made it into v7 or not.
Can someone confirm if this is available in v7 or not?
Yep, it’s there: Suricata 7.0.0 released 