<div dir="ltr">This is something I'd be very interested in as well. <div><br></div><div>I've been maintaining a buffer pcap file on my servers to ensure that I have enough information to find out what may be triggering an alert. It would be much more effective to only log the traffic coming through when an alert is triggered (or a predetermined list of alerts) then store the logs based on importance, etc.</div><div><br></div><div>Any info you have would be awesome!</div><div><br></div><div>Jake.<br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">
<table border="0" cellpadding="3" cellspacing="0" style="width:300px" width="100%">
        <tbody>
                <tr>
                        <td valign="top" width="45"><table border="0" cellpadding="3" cellspacing="0" width="100%" style="width:300px"><tbody><tr><td valign="top" width="45"><a href="http://hootsuite.com/" style="text-decoration:none;color:rgb(0,0,0)" target="_blank"><img height="60" src="http://images.hootsuite.com/email_signature_2014/owl-icon.png" width="40"></a></td><td valign="top"><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:13px"><strong style="font-size:16px">Jake King</strong><br>Security Engineer| <a href="https://www.hootsuite.com/" style="color:rgb(0,0,0)" target="_blank">Hootsuite</a><br>t: +1.604.812.3306 | <a href="http://twitter.com/JakeKing" style="color:rgb(0,0,0);text-decoration:none" target="_blank">@J</a>akeKing</div></td></tr></tbody></table><table border="0" cellpadding="2" cellspacing="0" width="300" style="margin:10px 0px;width:300px"><tbody><tr valign="middle"><td><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;font-weight:bold;color:rgb(0,0,0);font-size:12px;white-space:nowrap">Find Hootsuite online:</div></td><td width="20"><a href="http://blog.hootsuite.com/" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Hootsuite Blog RSS" height="20" src="http://images.hootsuite.com/email_signature_2014/rss-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://facebook.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Facebook" height="20" src="http://images.hootsuite.com/email_signature_2014/fb-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://twitter.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Twitter" height="20" src="http://images.hootsuite.com/email_signature_2014/twitter-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://youtube.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Youtube" height="20" src="http://images.hootsuite.com/email_signature_2014/youtube-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="http://instagram.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Instagram" height="20" src="http://images.hootsuite.com/email_signature_2014/insta-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://plus.google.com/+HootSuite/posts" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Google+" height="20" src="http://images.hootsuite.com/email_signature_2014/gplus-grey-24.png" width="20" style="border:0px"></a></td></tr></tbody></table><table border="0" cellpadding="3" cellspacing="0" width="100%" style="width:320px"><tbody><tr><td><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:14px">We are hiring in a <em>big</em> way! <a href="http://hootsuite.com/careers" style="color:rgb(0,0,0)" target="_blank">Apply now</a></div><br><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:14px"><span style="color:rgb(161,161,161);font-size:10px">This email is being sent on behalf of </span><a href="http://hootsuite.com/" style="font-size:10px;color:rgb(0,0,0)" target="_blank">Hootsuite Media, Inc</a><span style="color:rgb(161,161,161);font-size:10px">. If you are no longer interested in receiving emails from Hootsuite, please </span><a href="https://socialbusiness.hootsuite.com/unsubscribe.html" style="font-size:10px;color:rgb(0,0,0)" target="_blank">click here</a><span style="color:rgb(161,161,161);font-size:10px">.</span><br></div><br><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(161,161,161);font-size:10px">Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.</div></td></tr></tbody></table></td><td valign="top"><br></td></tr></tbody></table><table border="0" cellpadding="3" cellspacing="0" style="width:320px" width="100%"><tbody><tr><td><br></td></tr></tbody></table></div></div></div>
<br><div class="gmail_quote">On Mon, Jan 19, 2015 at 4:00 PM,  <span dir="ltr"><<a href="mailto:mail.list@taylorofthe.net" target="_blank">mail.list@taylorofthe.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What is the best option to log only packets associated with alerts? In the suricata documentation, it reads: With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. Is that all packets on the monitored interface? How does one get just packets associated with specific rule. Does the post-detection rule variable option work like it does in Snort?<br>
<br>
Thanks in advance<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</blockquote></div><br></div>