<div dir="ltr">Thanks, Jay.<div><br></div><div>Appreciate it.</div><div><br></div><div>Jake.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">
<table border="0" cellpadding="3" cellspacing="0" style="width:300px" width="100%">
        <tbody>
                <tr>
                        <td valign="top" width="45"><table border="0" cellpadding="3" cellspacing="0" width="100%" style="width:300px"><tbody><tr><td valign="top" width="45"><a href="http://hootsuite.com/" style="text-decoration:none;color:rgb(0,0,0)" target="_blank"><img height="60" src="http://images.hootsuite.com/email_signature_2014/owl-icon.png" width="40"></a></td><td valign="top"><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:13px"><strong style="font-size:16px">Jake King</strong><br>Security Engineer| <a href="https://www.hootsuite.com/" style="color:rgb(0,0,0)" target="_blank">Hootsuite</a><br>t: +1.604.812.3306 | <a href="http://twitter.com/JakeKing" style="color:rgb(0,0,0);text-decoration:none" target="_blank">@J</a>akeKing</div></td></tr></tbody></table><table border="0" cellpadding="2" cellspacing="0" width="300" style="margin:10px 0px;width:300px"><tbody><tr valign="middle"><td><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;font-weight:bold;color:rgb(0,0,0);font-size:12px;white-space:nowrap">Find Hootsuite online:</div></td><td width="20"><a href="http://blog.hootsuite.com/" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Hootsuite Blog RSS" height="20" src="http://images.hootsuite.com/email_signature_2014/rss-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://facebook.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Facebook" height="20" src="http://images.hootsuite.com/email_signature_2014/fb-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://twitter.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Twitter" height="20" src="http://images.hootsuite.com/email_signature_2014/twitter-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://youtube.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Youtube" height="20" src="http://images.hootsuite.com/email_signature_2014/youtube-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="http://instagram.com/hootsuite" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Instagram" height="20" src="http://images.hootsuite.com/email_signature_2014/insta-grey-24.png" width="20" style="border:0px"></a></td><td width="20"><a href="https://plus.google.com/+HootSuite/posts" style="border:0px;text-decoration:none;color:rgb(0,0,0)" target="_blank"><img alt="Google+" height="20" src="http://images.hootsuite.com/email_signature_2014/gplus-grey-24.png" width="20" style="border:0px"></a></td></tr></tbody></table><table border="0" cellpadding="3" cellspacing="0" width="100%" style="width:320px"><tbody><tr><td><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:14px">We are hiring in a <em>big</em> way! <a href="http://hootsuite.com/careers" style="color:rgb(0,0,0)" target="_blank">Apply now</a></div><br><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(0,0,0);font-size:14px"><span style="color:rgb(161,161,161);font-size:10px">This email is being sent on behalf of </span><a href="http://hootsuite.com/" style="font-size:10px;color:rgb(0,0,0)" target="_blank">Hootsuite Media, Inc</a><span style="color:rgb(161,161,161);font-size:10px">. If you are no longer interested in receiving emails from Hootsuite, please </span><a href="https://socialbusiness.hootsuite.com/unsubscribe.html" style="font-size:10px;color:rgb(0,0,0)" target="_blank">click here</a><span style="color:rgb(161,161,161);font-size:10px">.</span><br></div><br><div style="font-family:'Open Sans','Helvetica Neue',Arial,Helvetica,sans-serif;color:rgb(161,161,161);font-size:10px">Hootsuite Media Inc., 5 East 8th Avenue, Vancouver, BC, V5T 1R6.</div></td></tr></tbody></table></td><td valign="top"><br></td></tr></tbody></table><table border="0" cellpadding="3" cellspacing="0" style="width:320px" width="100%"><tbody><tr><td><br></td></tr></tbody></table></div></div></div>
<br><div class="gmail_quote">On Mon, Jan 19, 2015 at 5:24 PM, Jay M. <span dir="ltr"><<a href="mailto:jskier@gmail.com" target="_blank">jskier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes, I believe the setting you are looking at is all monitored packets<br>
by suricata. Alert debugging is also verbose and useful, but not a<br>
pcap.<br>
<br>
In the beta 2.1 series, you can turn on packet under alert logging<br>
which will create a KV pair for one 'packet' per alert in the eve.log<br>
(so, not all packets, only alerts). The value will be in base64<br>
encoding. It will allow you to decode fairly easily with scapy and a<br>
python script.<br>
<br>
I'm working on a python script pre rotate to pull out all alert<br>
packets every time I rotate the eve.log (every hour to 6 hours<br>
depending on time of day). Once I get it wrapped up (tuning json,<br>
decoding was easy part) I'll post it.<br>
<br>
--<br>
Jay<br>
<a href="mailto:jskier@gmail.com">jskier@gmail.com</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Mon, Jan 19, 2015 at 6:00 PM,  <<a href="mailto:mail.list@taylorofthe.net">mail.list@taylorofthe.net</a>> wrote:<br>
> What is the best option to log only packets associated with alerts? In the suricata documentation, it reads: With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. Is that all packets on the monitored interface? How does one get just packets associated with specific rule. Does the post-detection rule variable option work like it does in Snort?<br>
><br>
> Thanks in advance<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</div></div></blockquote></div><br></div>