How to log alert into a pcap

ashokdev7 · January 18, 2022, 7:14am

Hi
I want to log alert/session into a pcap if a alert is triggered on a session/packet.
How can I do it

Jeff_Lucovsky · January 20, 2022, 1:27pm

Hi,

There is development work in progress to do this – see Pcap conditional v2.2.12 by scottfgjordan · Pull Request #6766 · OISF/suricata · GitHub

We expect this work to be included in Suricata 7 if it’s completed in time.

ish · January 21, 2022, 2:59am

Until we do have that feature, the payload logging is quite useful. Its base64, but if you can decode it can give you a lot of extra context.

bigjohns97 · July 17, 2023, 2:08pm

Was about to create a thread for this feature and came across this thread, tried to track down this through the github link above but I couldn’t figure out if this made it into v7 or not.

Can someone confirm if this is available in v7 or not?

jufajardini · July 18, 2023, 5:45pm

Yep, it’s there: Suricata 7.0.0 released

Topic		Replies	Views
Conditional PCAP may not log packets for all alerts	1	492	April 29, 2023
Is there any way to link alert and log.pcap? Developers suricata , pcaps	0	356	March 24, 2023
FPC when a specific alert is triggered Help pcaps	2	769	December 10, 2021
Can Suricata Capture the network traffic? Help suricata	1	392	March 21, 2022
Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)	4	406	April 23, 2023

How to log alert into a pcap

Related Topics