<div dir="ltr"><div><div>I believe there are two options for doing this. First is setting your stream variables is a way that causes Suricata to continue to inspect encrypted traffic (I forget if/how this is possible at the moment). The second is setting "use-stream-depth: no" in the pcap-log section. If you want an example take a look at <a href="http://rules.emergingthreats.net/open/suricata-1.3/suricata-1.3-open.yaml">http://rules.emergingthreats.net/open/suricata-1.3/suricata-1.3-open.yaml</a><br>
<br></div>For what its worth, I found the packet capture output from Suricata to be very inefficient. Running tcpdump at the same time produced much better results for me. There are some programs that capture more efficiently than tcpdump which you may want to explore as well.<br>
<br><br></div>Jake Gionet<br><div><br><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 19, 2013 at 5:55 PM, Mike Ware <span dir="ltr"><<a href="mailto:mware@zettaset.com" target="_blank">mware@zettaset.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Is there a way to set the pcap logging to capture encrypted traffic? <div>Thanks<span class="HOEnZb"><font color="#888888"><div>
Mike</div></font></span></div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br></div>