From 0f12297f5019e91def5af525ffcd113108dc9e29 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Mar 2024 08:19:42 -0500 Subject: [PATCH] add new pcap annotations --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 645a4c8a9..799d9af4e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -127,7 +127,7 @@ soc: global: True advanced: True lookupTunnelParent: - description: When true, if a pivoted event appears to be encapsulated, such as in a VxLan packet, then SOC will pivot to the VxLan packet stream. This can be useful if the PCAP parser is unable to locate the encapsulated packets. However, if the parser is written in a way that it can find a given filter even if its encapsulated, this is best left to false, as the analyst will see the intended packet data rather than the wrapping packet data. + description: When true, if a pivoted event appears to be encapsulated, such as in a VXLAN packet, then SOC will pivot to the VXLAN packet stream. When false, SOC will attempt to pivot to the encapsulated packet stream itself, but at the risk that it may be unable to locate it in the stored PCAP data. global: True sostatus: refreshIntervalMs: