<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1416569756829_2797" dir="ltr"><span id="yui_3_16_0_1_1416569756829_2803">Actually, we are only looking for the session data that is associated with the alert generated.   We currently use the debug option and parse the data.  It only gives us the packets associated with that particular event.</span></div><br>  <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1416569756829_2800"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1416569756829_2799"> <div dir="ltr" id="yui_3_16_0_1_1416569756829_2798"> <hr size="1" id="yui_3_16_0_1_1416569756829_2802">  <font size="2" face="Arial" id="yui_3_16_0_1_1416569756829_2801"> <b><span style="font-weight:bold;">From:</span></b> Cooper F. Nelson <cnelson@ucsd.edu><br> <b><span style="font-weight: bold;">To:</span></b> Charles DeVoe <scarecrow_57@yahoo.com>; "oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, November 19, 2014 8:55 AM<br> <b id="yui_3_16_0_1_1416569756829_2809"><span style="font-weight: bold;" id="yui_3_16_0_1_1416569756829_2808">Subject:</span></b> Re: [Oisf-users] Getting session data<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1416569756829_2806"><br>-----BEGIN PGP SIGNED MESSAGE-----<br clear="none">Hash: SHA1<br clear="none"><br clear="none">Is this what you want?<br clear="none"><br clear="none">> Packet log (pcap-log)<br clear="none">> With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. This way, you can take a look at all packets whenever you want.<br clear="none">> In the normal mode a pcap file is created in the default-log-dir. It can also be created elsewhere if a absolute path is set in the yaml-file.<br clear="none">> <br clear="none">> The file that is saved in example the default -log-dir /var/log/suricata, can be be opened with every program which supports the pcap file format. This can be Wireshark, TCPdump, Suricata, Snort and many others.<br clear="none">> <br clear="none">> The pcap-log option can be enabled and disabled.<br clear="none">> <br clear="none">> There is a size limit for the pcap-log file that can be set. The default limit is 32 MB. If the log-file reaches this limit, the file will be rotated and a new one will be created.<br clear="none"><br clear="none">From: ><br clear="none"><a shape="rect" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml" target="_blank" id="yui_3_16_0_1_1416569756829_2807">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml</a><br clear="none"><br clear="none"><br clear="none"><br clear="none">On 11/19/2014 3:19 AM, Charles DeVoe wrote:<br clear="none">> When we started this project it was decided that we need the session<br clear="none">> data along with the alert.  Back then we found that the only way we<br clear="none">> could get this was by using the debug output (although there may have<br clear="none">> been another way).  I attempted to install Suricata with prelude support<br clear="none">> and that failed during the ./configure process.<br clear="none">> <br clear="none">> So to get to the point.  What methods are available for getting session<br clear="none">> data and which is the best?<br clear="none">> <br clear="none">> "Thank you for your Support"<br clear="none">> Bartyles and James<br clear="none">> <br clear="none">> <br clear="none">> _______________________________________________<br clear="none">> Suricata IDS Users mailing list: <a shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br clear="none">> Site: <a shape="rect" href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org </a>| Support: <a shape="rect" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br clear="none">> List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br clear="none">> Training now available: <a shape="rect" href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br clear="none">> <br clear="none"><br clear="none"><br clear="none">- -- <br clear="none">Cooper Nelson<br clear="none">Network Security Analyst<br clear="none">UCSD ACT Security Team<br clear="none"><a shape="rect" ymailto="mailto:cnelson@ucsd.edu" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br clear="none">-----BEGIN PGP SIGNATURE-----<br clear="none">Version: GnuPG v2.0.17 (MingW32)<br clear="none"><br clear="none">iQEcBAEBAgAGBQJUbKFZAAoJEKIFRYQsa8FWYE8H/3AqkQenlRNiv9Y5oNsMcMKb<br clear="none">cnwwhcXam4Uiw8BLeAUUgrI2XqKrMGVZlSa8RQPeMUIy7akjEk0SdSsS+KIW6IUJ<br clear="none">g3re1dKmm3N1tYz7Mxu95Vn+ELBRlVdd6LDZxI6iCIY+gTXspTBpYO3Vy+Q0TX4C<br clear="none">jzYZhp8lTq9szk/39igqFqvyhB+zdRbddxDj0bZOUKYWMOmpgleWTX6KYbAb1FUe<br clear="none">8Ghsv9bMLakpKe0Cj/QtQTaOi9TbPFz84cBqYsiq76PG53Z+tSU/MjEjwupnEXj2<br clear="none">HjH/0dzkXHxAxCKLuqeAgXN9laLAq5lDo0KPoJ/j82aQGASsfni6P/Ja/525ebU=<br clear="none">=6471<br clear="none">-----END PGP SIGNATURE-----<div class="qtdSeparateBR"><br><br></div><div class="yqt2586959103" id="yqtfd07623"><br clear="none"></div><br><br></div> </div> </div>  </div></body></html>