Only save packet data when an alert is generated #10358
-
|
Hi, Is there a way to only save packet data when an alert is generated? I'd like not to save my 200GB steam game update packet data but only the fact that that connection was made (as a steam download should not generate an alert on my configuration and thus no packet data should be saved, only connection information) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Use a BPF to filter out data and only apply it to steno. |
Beta Was this translation helpful? Give feedback.
-
|
This is close, but I'd still like to keep packet data for the packets that matched the alerts. Also unfortunately eBPF is not protocol aware so bypassing a port would mean that all the traffic on that port is skipped :( |
Beta Was this translation helpful? Give feedback.
-
|
Suricata does save a subset of the packet data when an alert is generated -- if you open up the alert in the Alerts console or Hunt, it will be listed under the field network.data.decoded. |
Beta Was this translation helpful? Give feedback.
-
|
So the solution in my case would be to just disable steno completely? |
Beta Was this translation helpful? Give feedback.
-
The really depends on what you want to be able to accomplish once you have the alert. The real reason full pcap is there is for what happens before and after the alert. If you apply this to a scenario where you get an alert that tells you a reverse shell has been opened and you are only saving pcaps on alerts, you now have PCAP of the actor opening a shell. What you miss after that is the possible C2 activity coming from that machine or RAR files leaving the network with the plans of the deathstar. All things that if you don't have exact rules for you would never see. You would have meta data about them sending large amounts of data and IP addresses but that is about it. The first question when you tell leadership that large amounts of data left the network is what did they take? What would be unfortunate is if said exfil was done over a non encrypted channel then you would have to say we could have known but we disabled that feature. So just tell all the threat actors that are targeting your org to use encrypted data transfer for exfil and you should be good to disable steno. |
Beta Was this translation helpful? Give feedback.
The really depends on what you want to be able to accomplish once you have the alert. The real reason full pcap is there is for what happens before and after the alert. If you apply this to a scenario where you get an alert that tells you a reverse shell has been opened and you are only saving pcaps on alerts, you now have PCAP of the actor opening a shell. What you miss after that is the possible C2 activity coming from that machine or RAR files leaving the network with the plans of the deathstar. All things that if you don't have exact rules for you would never see. You would have meta data about them sending large …