Friday, September 13, 2024

Did you know that you can configure Security Onion to only record PCAP for Suricata NIDS alerts?

Folks sometimes ask how to only record PCAP for Suricata NIDS alerts so that they can save disk space. Our preference is to NOT limit PCAP to alerts only since disk is cheap and most sophisticated adversaries are going to try to evade IDS alerts anyway. However, for folks that really need the space savings, here is how you would do it.


First, check to see whether you are using Stenographer or Suricata for PCAP. If you are using Stenographer, you will need to switch to Suricata as shown here (please note the warning):

https://docs.securityonion.net/en/2.4/suricata.html#pcap


Once you're running Suricata for PCAP, you would then set conditional PCAP to "alerts" as shown here:

https://docs.securityonion.net/en/2.4/suricata.html#conditional-pcap




No comments:

Post a Comment

Note: Only a member of this blog may post a comment.