Step-by-step guide
KATA 3.7.2
Connect to central node/sensor node which processing SPAN traffic via ssh;
Proceed to Technical support mode;
Become root with command:
Turn on wrapCopy as text
# sudo -i
Create file /etc/suricata/capture-filter.bpf with line containing traffic filtering conditions (syntax is the same as in tcpdump conditions), below you can see filter for example:
Exa
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
We suggest free and lightweight client, part of Putty: pscp.
Step-by-step guide
You can download pscp.exe for Windows from official site.
Navigate to the folder with pscp.exe and start cmd or powershell there
To copy files to KATA, run the following command:
.\pscp.exe -scp <path to loc
If you are writing your own rules for YARA engine on Central Node, you may need available modules in YARA and engine version.
Engine version is 3.7-3.11 in KATA 3.7.x
Engine version is 4.10 in KATA 4.1 and KATA 5.0
Here's the list of modules:
tests
pe
elf
math
time
pe_utils
magic
hash
dotnet
dex
For more info on modules, please refer to YARA documentation.
