Kevin O'Reilly

If you are willing to invest time then I will be grateful as it is a scarce commodity for me. What I would first of all like to establish is:...

Hi Carson - sorry not to reply earlier - only just spotted your most recent message. The mechanism for collecting dropped files starts with the file-related API hooks such as...

I just took a look at Pafish, latest 32-bit release ``9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e``. My first observation is that the mouse movement function fails for both zero movement and 'supernatural' movement, so it's...

Yes indeed the tlsdump feature should mean that the encrypted traffic in the pcap gets decrypted and thus seen by suricata - you should therefore see the results of this...

No I didn't mean "is this your use case?" - I meant "is it the case that your exe produces the expected output in the network tab?"!

The HTTP(s) field is straight from the pcap whereas the suricata fields depend on suricata processing the pcap. So it sounds like the capture to pcap and decryption is fine,...

I will be making a PR for this soon - watch this space.

Interesting issue - thanks for the detailed report and apologies about the auto-close. It protects us from most lame issues but occasionally closes good ones. It seems your research has...

This is still very much a feature, nothing has been removed from 'official' cape!

As far as I know there should be a 'TID' column in the behavioural analysis (or API) logs with the thread ID for each call.