<div dir="ltr">Yea think there maybe some source code that needs to be modified with that. I have tried to include the tag option and it doesnt seem to work. <br><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><span style="font-size:14px;font-family:roboto,sans-serif"><strong><span style="color:#000000"><br>Jordon Carpenter</span></strong></span><br><span style="color:#000000;font-size:12px;font-family:roboto,sans-serif"><a style="color:#000000;font-size:12px;font-family:roboto,sans-serif" href="https://www.rooksecurity.com/" target="_blank">Rook Security</a></span><br><span style="font-size:12px;font-family:roboto,sans-serif"><em><span style="color:#000000">Anticipate, Manage, & Eliminate Threats</span></em></span><br><br><span style="color:#000000;font-size:12px;font-family:roboto,sans-serif">O: <a href="onsip:18887129531@null" title="Click-to-Call 888.712.9531" class="onsip-click-to-call" rel="18887129531">888.712.9531</a> x734</span><br><span style="color:#000000;font-size:12px;font-family:calibri,sans-serif"><span style="font-family:roboto,sans-serif">E: <a href="mailto:jordon.carpenter@rooksecurity.com" target="_blank">jordon.carpenter@rooksecurity.com</a><br><br></span><span style="font-family:roboto,sans-serif"><a href="https://www.facebook.com/rookteam" style="font-family:roboto,sans-serif" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-FB.png" border="0" alt="rookteam"></a>    <a href="https://twitter.com/rooksecurity" style="font-family:roboto,sans-serif" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-TW.png" border="0" alt="rooksecurity"></a>    <a href="https://www.linkedin.com/company/rook-security" style="font-family:roboto,sans-serif" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-LI.png" border="0" alt="Rook LinkedIn"></a></span><br><br><br><span style="font-size:10px"><span style="font-family:roboto,sans-serif">This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message.</span><br></span><br></span></div></div>
<br><div class="gmail_quote">On Thu, Apr 13, 2017 at 10:14 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Apr 13, 2017 at 4:03 PM, Jordon Carpenter<br>
<<a href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@<wbr>rooksecurity.com</a>> wrote:<br>
><br>
> Team,<br>
><br>
> Trying to identify a process of logging a few extra packets from a Suricata alert.<br>
><br>
> For example, how the 'tag' rule does for snort. I know this is not a feature in Suricata, however, I'm looking for something that will do it. The goal is to follow an attack session like an SQL injection attack. Obviouslly we need to see the response from the affected resource in order to properly determine if the attack was successful.<br>
<br>
You can utilise with tag -<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L173" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/<wbr>projects/suricata/repository/<wbr>revisions/master/entry/<wbr>suricata.yaml.in#L173</a><br>
<br>
Feedback is welcome.<br>
<br>
><br>
> Thanks,<br>
> Jordon Carpenter<br>
> Rook Security<br>
> Anticipate, Manage, & Eliminate Threats<br>
><br>
> O: <a href="tel:888.712.9531%20x734" value="+18887129531">888.712.9531 x734</a><br>
> E: <a href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@rooksecurity.<wbr>com</a><br>
><br>
><br>
><br>
><br>
> This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message.<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div></div>