Replies: 1 comment 1 reply
-
|
Is the PCAP section on SOC suppose to work already when I switch to SURI for PCAP. I updated to 2.4.60 and I switch to SURI for pcap and I tried to extract pcap from soc and it is not spitting out pcap for me.. I did the bare minimum filter for pcap extraction "sensor id; filter start; and filter end" |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Both SOC and Suricata need to restart before you will be able to pull pcap. If you had previous PCAP its better to set it to TRANSITION so that you can see older PCAPs and new ones as well. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
We rolled out the option to use Suricata for PCAP in 2.4.60. Here is a link to the differences:
https://docs.securityonion.net/en/2.4/suricata.html#pcap
Although it is still officially beta until we can use BPFs for PCAP in Suricata, we wanted to get it out to the community to test it. I know some users just want to PCAP alerts or they want to trim PCAP for longer retention and Suricata PCAP will enable that. If you don't have the need for BPFs then we recommend switching over. You can still access your old PCAP from steno if you use the transition value in the global settings.
Please read the docs carefully as you will need to set the disk space to use on existing sensors. We welcome feedback from the community as we further test this feature.
Beta Was this translation helpful? Give feedback.
All reactions