<div dir="ltr"><div><div><a href="https://redmine.openinfosecfoundation.org/issues/120">https://redmine.openinfosecfoundation.org/issues/120</a><br><br></div>Snort would be able to do this like:<br><br><strong>alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log 
Packet Evil-IP 85.19.221.54 (<a href="http://gamelinux.org">gamelinux.org</a>)”; flags:S; 
tag:session,1000,bytes,100,seconds,0,packets; classtype:trojan-activity;
 sid:201102011; rev:1;)</strong><br><br><br></div>Its an OK feature... but if it sucks performance, I would leave it out :) if not - I would love it!<br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Sep 18, 2013 at 9:41 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
You can, it just won't log every packet for that flow.<br>
<br>
Suricata does have a pcap logging function, but it simply logs<br>
everything (which probably isn't what you want).<br>
<br>
Try using tcpdump.  It has almost zero overhead on a modern kernel.<br>
<br>
- -Coop<br>
<br>
On 9/18/2013 12:26 PM, Duane Howard wrote:<br>
> Downside is "yet another service" on my many sensors, which I was hoping to<br>
> avoid. I'm assuming there's no flag to tell Suricata to log to http.log and<br>
> a u2 file?<br>
><br>
><br>
> On Wed, Sep 18, 2013 at 11:13 AM, Eoin Miller <<br>
> <a href="mailto:eoin.miller@trojanedbinaries.com">eoin.miller@trojanedbinaries.com</a>> wrote:<br>
><br>
>> On 9/18/2013 17:19, Duane Howard wrote:<br>
>>> Hey folks, another strange behavior I'm seeing that I'm wondering about.<br>
>>><br>
>>> I have a rule like this, which I believe should basically record all<br>
>>> sessions to IP_I_CARE_ABOUT:<br>
>>> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";<br>
>>> tag:session,300,seconds; reference:url,<a href="http://foo.example.com" target="_blank">foo.example.com</a><br>
>>> <<a href="http://foo.example.com" target="_blank">http://foo.example.com</a>>; classtype:misc-activity; priority:2;<br>
>>> sid:9000001; rev:1;)<br>
>>><br>
>>> I also have http logging enabled.<br>
>>> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not<br>
>>> get any further traffic when the traffic is HTTP, I do however get<br>
>>> corresponding HTTP text logs written to my http.log file.<br>
>>><br>
>>> Is this working as intended? I assumed that I would get the full capture<br>
>>> as well as the plaintext log of the HTTP traffic.<br>
>>><br>
>>> Thanks,<br>
>>> /.d<br>
>><br>
>> You should take a look at Moloch.<br>
>><br>
>> <a href="http://molo.ch" target="_blank">http://molo.ch</a><br>
>> <a href="http://github.com/aol/moloch" target="_blank">http://github.com/aol/moloch</a><br>
>><br>
>> -- Eoin<br>
>><br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQEcBAEBAgAGBQJSOgHMAAoJEKIFRYQsa8FWDwMH/R3lKUazuze8i92LvDW28dR3<br>
IZMJD/2C046IneUu+0/jUpTcGfCyn7M1gFRjf3+vBwp8igHMXySV346ie2Dh/tNd<br>
BDNs8XyB5eSFk0M1EQLlh9I5qXPbmKre8sXZSp/0qbNMdO7K/mozicl0iCwWiWLP<br>
VdOIh9kapgLl2mxwo+gL062YnTunYYnxlxc2gBr4VCPekRNOnnyx49QNeNjvO2fB<br>
nC6dX4s01HFjWjc/ms8XtIvwZuhTdj6gyhS1nJgfwo1oPrdYv3DJGjNwTCxypRNc<br>
d1BYkhdLag24RqEIXRiFJJELBVdPYHByUb4I9VO3GavESu3GwQzR5N7tbSoVR+I=<br>
=ehOY<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Edward Bjarte Fjellskål<br>Senior Security Analyst<br><a href="http://www.gamelinux.org/" target="_blank">http://www.gamelinux.org/</a>
</div>