<div dir="ltr">You're probably looking for the 'types' stanza under the eve-logging (json) component:<div><br></div><div><div> types:</div><div> - alert:</div><div> # payload: yes # enable dumping payload in Base64</div><div> # payload-printable: yes # enable dumping payload in printable (lossy) format</div><div> # packet: yes # enable dumping of packet (without stream segments)</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 8, 2016 at 1:36 PM, Jeff H <span dir="ltr"><<a href="mailto:jeff61225@gmail.com" target="_blank">jeff61225@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Sun, Feb 7, 2016 at 12:01 PM, Andreas Herz <span dir="ltr"><<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><br>
> I am considering looking into switching some of my Snort installs to<br>
> Suricata. Are there any guides/documentation/blog posts (official or not)<br>
> that are aimed at Snort users interested in Suricata?<br>
<br>
</span>There is this page in regard to the config:<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Snortconf_to_Suricatayaml" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Snortconf_to_Suricatayaml</a><br>
<br>
And the user guide docs in general should cover all topics, if something<br>
special missing, just ask.<br>
<span><font color="#888888"><br>
--<br>
Andreas Herz<br></font></span></blockquote><div><br></div></span><div>Hi Andreas,</div><div><br></div><div>I think one of the things I am confused about is the logging in Suricata. Reading the Suricatayaml documentation (<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml</a>) I see the option for pcap logging, but it looks like that logs all traffic, not just alerts, is that correct?</div><div><br></div><div>What logging options need to be enabled to save a pcap of only the traffic that generated an alert? I would like to have that in addition to the eve logging (which I think I understand based on the documentation.<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Jeff</div></font></span></div></div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>