Folks sometimes ask how to only record PCAP for Suricata NIDS alerts so that they can save disk space. Our preference is to NOT limit PCAP to alerts only since disk is cheap and most sophisticated adversaries are going to try to evade IDS alerts anyway. However, for folks that really need the space savings, here is how you would do it.
First, check to see whether you are using Stenographer or Suricata for PCAP. If you are using Stenographer, you will need to switch to Suricata as shown here (please note the warning):
https://docs.securityonion.net/en/2.4/suricata.html#pcapOnce you're running Suricata for PCAP, you would then set conditional PCAP to "alerts" as shown here:
https://docs.securityonion.net/en/2.4/suricata.html#conditional-pcap
No comments:
Post a Comment