evebox icon indicating copy to clipboard operation
evebox copied to clipboard

Published 20 hours ago verified publisher icon jasonish

improved dumpy integration

Open inliniac opened this issue 8 years ago • 2 comments

It would be nice to have a direct link to a dumpy generated pcap, instead of first opening the dumpy web page. Perhaps some sane defaults about the timerange can be used.

Additionally, if flow/netflow records are enabled perhaps it's possible to correlate them with the alert record, and pass the (net)flow start/end times to dumpy as the duration.

inliniac avatar Aug 28 '16 10:08 inliniac

Yes, I think I'll be adding first class support for dumpy. I once had it, but lost it in the rewrite to angular2.

I'm looking at adding a "Flow" panel to the event detail view that shows the flow for the particular event. From there, a quick link to download the entire flow.

jasonish avatar Aug 30 '16 22:08 jasonish

If we implement this in Suricata it may also be useful: https://redmine.openinfosecfoundation.org/issues/1879

inliniac avatar Aug 31 '16 07:08 inliniac