Suricata - Alert/event pcap?
I have a really hard time finding where I can enable pcap for alerts/events. Is this implemented yet, or is it just not available through GUI ?
- Services/Suricata/Interfaces -> Edit one of the interfaces
- [Interface name] Settings -> Enable Packet Log (Suricata will log decoded packets for the interface in pcap-format. Default is Not Checked. This can consume a significant amount of disk space when enabled.)
mind12's recommendation will log all traffic, not just alerts.
It is my understanding that Suricata doesn't have the ability to generate pcaps from alerts, but using eve.json logging you can log the payload data which will get you what you need in most cases. Unfortunately this isn't configurable in the Suricata gui in pfSense. You can edit suricata_generate_yaml.php as described here to do so https://forum.pfsense.org/index.php?topic=112587.0
Keep in mind I believe these changes will be overwritten anytime Suricata is updated.
I've added a check box in the Suricata settings to allow this to be selected in the gui and submitted a pull request, but have not heard anything back from the maintainers. edit: it looks like the PR is going to be accepted, so hopefully this will be in the packaged version soon.
Thanks jeffh, this is what I have been looking for:)