<div dir="ltr">If you are wanting to record ALL the traffic, I would recommend something like Daemonlogger or OpenFPC, or either Gulp (this is an older program, source code available at <a href="http://staff.washington.edu/corey/gulp/">http://staff.washington.edu/corey/gulp/</a>).<div>
<br></div><div>If you are wanting to record traffic from a single IP, then Gulp is fairly simple, just tell it how many files to use as a ring buffer and let it fly.  Daemonlogger is a bit more modern and works fairly well on my server here (runs on the same server as Suricata).</div>
<div><br></div><div>See Yas!<br>~Brant</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 18, 2013 at 1:59 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
I'm pretty sure the way suricata works internally is that a single alert<br>
will only trigger once per flow.<br>
<br>
If you want to record traffic, I'll suggest using tcpdump or tcpflow.<br>
<br>
- -Coop<br>
<div><div class="h5"><br>
On 9/18/2013 10:19 AM, Duane Howard wrote:<br>
> Hey folks, another strange behavior I'm seeing that I'm wondering about.<br>
><br>
> I have a rule like this, which I believe should basically record all<br>
> sessions to IP_I_CARE_ABOUT:<br>
> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";<br>
> tag:session,300,seconds; reference:url,<a href="http://foo.example.com" target="_blank">foo.example.com</a>;<br>
> classtype:misc-activity; priority:2; sid:9000001; rev:1;)<br>
><br>
> I also have http logging enabled.<br>
> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not<br>
> get any further traffic when the traffic is HTTP, I do however get<br>
> corresponding HTTP text logs written to my http.log file.<br>
><br>
> Is this working as intended? I assumed that I would get the full capture as<br>
> well as the plaintext log of the HTTP traffic.<br>
><br>
> Thanks,<br>
> /.d<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQEcBAEBAgAGBQJSOeoVAAoJEKIFRYQsa8FWDlgH/jCi9k2mC4xkY4HkMvj0WFg2<br>
p/ffB1Z+VNhhNfMqoBUr90L8EMf9wqOwsP/bLG2ATsf7ty8fj5fwh9sF1pifUqkm<br>
8opjxlPKJxCrPqVfmmKCpXRAujJ2dgCCTJfPxZ8NZL8mH4ZbmYlWNXGElUDA4OQd<br>
vag+cyg9kih/FpEfPH0ZQiS53vsOojROjfG5pB/eCy9hp926SjFMXf1cNwHK9tok<br>
ZuQqvzhT9hj1947E9MHTBLByqdVCHgFFCuV9zVNz1MJkXtKZstFt4F2W0/yV6oEZ<br>
q63syPz8vQCqKKwjYWJIfhyeX8lJTLyrADdz16RQaBRSsmWqGKi8zIJq89lVCX8=<br>
=OvfT<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><font face="verdana, sans-serif">~Brant Wells</font><div><font size="1" face="georgia, serif">Network Administrator<br></font><div><font size="1" face="georgia, serif">Toccoa Falls College</font></div>
<div><font size="1" face="georgia, serif">107 North Chapel Drive Toccoa Falls, GA 30598</font></div><div><font size="1" face="georgia, serif">706-886-7299 x5414 * <a href="mailto:bwells@tfc.edu" target="_blank">bwells@tfc.edu</a></font></div>
<div><b><br></b><div><b><br></b></div></div></div>
</div>