There two ways I know of to obtain the PCAP for a specific Snort (IDS/IPS) event.
1. Request packets through the eStreamer API. You'll get all the packets all the time. It is possible to request a specific PCAP through estreamer but I'm not entirely sure how thats done. Arcsight does using the timestamp for the Snort event but this approach is prone to error (see no.2).
2. Using the JDBC interface you can request a packet using Timestamp, Event ID and device name from the Snort event. This tuple of information assures that you'll get _the_ correct packet and is a better way to implement option 1.
This article describes the basic steps and best practices for creating
and configuring an RNA policy in 4.10. Before you can begin to generate
RNA events, or gather RNA data, you need to make sure you have done the
following: 1) The sensor must be managed...
This article describes how to re-generate the licenses for
crashed/re-image FireSIGHT Management Center Virtual Appliance. If
Virtual FireSIGHT manager crashed and which has to be re-deploy using
Vmware OVF file. At this situation, license key will be cha...