
<div dir="ltr"><div>I googled, but did not find any docs about it.... saw some hits on the sourcecode, but did not dig into them.<br><br></div>This is a great feature to have though, and I guess one can use this for a fairly good packet capture and might satisfy the initial request?<br>

<br>E<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

On 09/19/2013 09:07 AM, Edward Fjellskål wrote:<br>

> <a href="https://redmine.openinfosecfoundation.org/issues/120" target="_blank">https://redmine.openinfosecfoundation.org/issues/120</a><br>

><br>

> Snort would be able to do this like:<br>

><br>

> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet<br>

> Evil-IP 85.19.221.54 (<a href="http://gamelinux.org" target="_blank">gamelinux.org</a> <<a href="http://gamelinux.org" target="_blank">http://gamelinux.org</a>>)”;<br>

> flags:S; tag:session,1000,bytes,100,seconds,0,packets;<br>

> classtype:trojan-activity; sid:201102011; rev:1;)*<br>

<br>

We support this tagging as well, never really benched it.<br>

<br>

- --<br>

- ---------------------------------------------<br>

Victor Julien<br>

<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>

PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

- ---------------------------------------------<br>

<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v1.4.11 (GNU/Linux)<br>

Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>

<br>

iEYEARECAAYFAlI6qNwACgkQiSMBBAuniMdDygCfZZlCrjgcuk/7svb+wflh7TuW<br>

+LMAnix912WIG/Uz0bfbAYAp+UEayj48<br>

=l6yu<br>

-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</blockquote></div><br><br clear="all"><br>-- <br>Edward Bjarte Fjellskål<br>Senior Security Analyst<br><a href="http://www.gamelinux.org/" target="_blank">http://www.gamelinux.org/</a>

</div>