<div dir="ltr">The closest I've seen to the pcap output you're looking for to enable the unified2 output (which you can use barnyard on if you so choose). See this section of the yaml:<div><a href="https://redmine.openinfosecfoundation.org/attachments/718/suricata.yaml#L55">https://redmine.openinfosecfoundation.org/attachments/718/suricata.yaml#L55</a><br><div><br></div><div>Also, if we're plugging full pcap solutions, +1 to Steno =)</div><div><a href="https://github.com/google/stenographer">https://github.com/google/stenographer</a><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 8, 2016 at 1:50 PM, Rob MacGregor <span dir="ltr"><<a href="mailto:rob.macgregor@gmail.com" target="_blank">rob.macgregor@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><span class=""><div dir="ltr">On Mon, Feb 8, 2016 at 8:33 PM Jeff H <<a href="mailto:jeff61225@gmail.com" target="_blank">jeff61225@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">Thanks Brandon, that does seem to be what I'm looking for. So when using the type alert in eve-logging do all three of those default to yes? Are individual pcap files created for each alert?<br></div></div></div></blockquote><div><br></div></span><div>If you're after the full sessions that caused the alert, then you'll need an external packet capture program that gives you a rolling buffer on disk. You can then retrieve the session from that program's archive. If you're on an IPv4 only network then Moloch is pretty sweet, Stenographer is shaping up nicely (AF_PACKET only though) and OpenFPC is worth a look too.</div><div><br></div><div>The chances are if your existing USM setup provides packet capture, that wasn't done by Snort and the same solution that worked for you there will still work now.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-- </div><div> Rob MacGregor </div></font></span></div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br></blockquote></div><br></div>