Replies: 1 comment 1 reply
-
|
The IDH nodes do not have PCAP functionality. The alerts are coming from the Sigma rules in Detections triggering against logs written by Opencanary, not from observation of network traffic. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks. I was hoping to be able to keep the pcap as well because in the configuration it is possible to add the IDH node to the PCAP capture nodes. The Suricata node is on a different network than the IDH so it cannot sniff traffic from that node. Thanks a lot |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello
I've being looking information about this and I haven't found how to do it.
When I try to se the PCAP of an alert like "Security Onion IDH - MSSQL Attempted Login" reported by IDH I get this error: "The request could not be processed. Contact a server admin for assistance with reviewing error details in SOC logs."
I saw that Pcap was disable for the IDH and I have activated it from configuration - pcap - enable - idhnode - true and I have wait a long time and reset the all machines, but the so-stastus of IDH doens't show so-steno running.
Is it possible to get PCAPs from IDH node? Have I missed something obvious? or Is it not possible?
I'll thank your help.
Regards
Carlos
Beta Was this translation helpful? Give feedback.
All reactions