<div dir="ltr"><div><br></div>Enabeling "payload" or "packet" in the Eve log will also give access to the content, if this is needed in PCAP format i know that Jason Ish has done some work on this: <a href="https://blog.jasonish.org/2015/10/01/eve2pcap-eve-packet-and-payload-conversion-to-pcap/">https://blog.jasonish.org/2015/10/01/eve2pcap-eve-packet-and-payload-conversion-to-pcap/</a><br><br><br><div><div class="gmail_quote"><div dir="ltr">fre. 24. jun. 2016 kl. 08.01 skrev Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Use the unified2 alerts and then extract the pcaps from them.<br>
<br>
Something like this...<br>
<br>
> find unified2.alert.* -mmin -5 -exec u2boat -t pcap {} /tmp/{}.pcap \;<br>
<br>
<br>
On 6/23/2016 6:47 PM, SiNA wrote:<br>
> Hi!<br>
><br>
> How can I save pcap files of only the alerts generated rather than<br>
> logging pcaps of all of the traffic passing through?<br>
><br>
> All the best,<br>
> Sina<br>
><br>
> --<br>
> SiNA<br>
> PGP: 0x0B47D56D<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
><br>
<br>
<br>
--<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></blockquote></div></div></div>