<div dir="ltr"><div>I googled, but did not find any docs about it.... saw some hits on the sourcecode, but did not dig into them.<br><br></div>This is a great feature to have though, and I guess one can use this for a fairly good packet capture and might satisfy the initial request?<br>
<br>E<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 09/19/2013 09:07 AM, Edward Fjellskål wrote:<br>
> <a href="https://redmine.openinfosecfoundation.org/issues/120" target="_blank">https://redmine.openinfosecfoundation.org/issues/120</a><br>
><br>
> Snort would be able to do this like:<br>
><br>
> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet<br>
> Evil-IP 85.19.221.54 (<a href="http://gamelinux.org" target="_blank">gamelinux.org</a> <<a href="http://gamelinux.org" target="_blank">http://gamelinux.org</a>>)”;<br>
> flags:S; tag:session,1000,bytes,100,seconds,0,packets;<br>
> classtype:trojan-activity; sid:201102011; rev:1;)*<br>
<br>
We support this tagging as well, never really benched it.<br>
<br>
- --<br>
- ---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
- ---------------------------------------------<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iEYEARECAAYFAlI6qNwACgkQiSMBBAuniMdDygCfZZlCrjgcuk/7svb+wflh7TuW<br>
+LMAnix912WIG/Uz0bfbAYAp+UEayj48<br>
=l6yu<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Edward Bjarte Fjellskål<br>Senior Security Analyst<br><a href="http://www.gamelinux.org/" target="_blank">http://www.gamelinux.org/</a>
</div>