full packet capture
119 views
Skip to first unread message
Agustin Larrarte
Jul 18, 2018, 12:33:06 PM7/18/18
to security-onion
Hello,
We are new to security onion. first of all, thanks for this great product, it has been really good so far.
We are looking into the alerts and we are figuring out those captures for the alerts are already gone (when doing alert analysis on sguil, looking for the captures that triggered that alert, the pcap file is gone so wireshark won't open it).
Now, we figured this is because full packet capture is filling up all the space. The sensor has 1 TB available and that space is filled within 1 hour or less (1Gb/s iface 100%).
Is there a way we can still persist those packet captures for those packets that did trigger an alert so we can have it for forensics and further analysis? (for critical alerts). Sometimes we don't get to see the packet capture within the hour.
We are looking into having a little more time bandwidth. we have looked at BPF and Trimpcap but we need at least 48 hours of those pcaps which triggered the alerts.
thank you!
We are new to security onion. first of all, thanks for this great product, it has been really good so far.
We are looking into the alerts and we are figuring out those captures for the alerts are already gone (when doing alert analysis on sguil, looking for the captures that triggered that alert, the pcap file is gone so wireshark won't open it).
Now, we figured this is because full packet capture is filling up all the space. The sensor has 1 TB available and that space is filled within 1 hour or less (1Gb/s iface 100%).
Is there a way we can still persist those packet captures for those packets that did trigger an alert so we can have it for forensics and further analysis? (for critical alerts). Sometimes we don't get to see the packet capture within the hour.
We are looking into having a little more time bandwidth. we have looked at BPF and Trimpcap but we need at least 48 hours of those pcaps which triggered the alerts.
thank you!
Wes Lambert
Jul 19, 2018, 8:25:14 AM7/19/18
to securit...@googlegroups.com
Hi Agustin,
You could try using the following, however, that doesn't really solve the problem of storage for PCAPs and/or Bro logs.
I would also recommending extending your storage and performing more filtering with BPF and maybe utilizing TrimPCAP if necessary.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages