Capme and full packet capture.
89 views
Skip to first unread message
gage...@gmail.com
Sep 20, 2018, 10:40:26 AM9/20/18
to security-onion
Is there a way to turn off full packet capture amd still have CAPme work for squert?
Wes Lambert
Sep 20, 2018, 12:00:07 PM9/20/18
to securit...@googlegroups.com
I'm not sure what you mean -- are you referring to going forward, being able to access previously recorded PCAPs from before netsniff-ng (FPC) was disabled?
Thanks,
Wes
On Thu, Sep 20, 2018 at 10:40 AM <gage...@gmail.com> wrote:
Is there a way to turn off full packet capture amd still have CAPme work for squert?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
gage...@gmail.com
Sep 20, 2018, 12:17:49 PM9/20/18
to security-onion
We are trying to keep full packet capture turned off but still be able to go into squert and access those pcap sessions that the snort rules hit on through CAPme. Is that possible or do you need FPC turned on?
Let me me know if that makes sense or not.
Thank you.
Let me me know if that makes sense or not.
Thank you.
Steven J
Sep 20, 2018, 10:06:07 PM9/20/18
to securit...@googlegroups.com
From my limited knowledge, you can't have it both ways. You need to capture the packet data in some way in order to read it in; CAPme, Wireshark, or other packet readers that may be available.
If storage space is your concern you could consider provisioning more disk space. Relatively speaking, benefit versus cost of retaining PCap data, disk is pretty cheap. In a Corporate environment there is likely a process to request and justify the need for more disk space, which can take some time depending on the business model being followed.
Another option is trimpcap, which chops off some of the less significant bytes at the end of the payload which significantly reduces the file save size yet retains the most essential parts of the payload.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Trimming-PCAPs.
If storage space is your concern you could consider provisioning more disk space. Relatively speaking, benefit versus cost of retaining PCap data, disk is pretty cheap. In a Corporate environment there is likely a process to request and justify the need for more disk space, which can take some time depending on the business model being followed.
Another option is trimpcap, which chops off some of the less significant bytes at the end of the payload which significantly reduces the file save size yet retains the most essential parts of the payload.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Trimming-PCAPs.
Steven Malm
Roc-Analyst I
Lyrical Security
174 Spadina Ave, Suite 400, Toronto, ON, Canada - M5T 2C2
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages