<div dir="ltr">hmmm, i remember why i backed off that approach now(user error), that's a bit embarrassing, for my needs currently enabling that via the alert eve logs should get me through. These alerts are likely more of a question of service/server misconfiguration than an attack vector, so the volume is low, severity is low and only on one server. <div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 31, 2017 at 2:42 PM, Jeremy MJ <span dir="ltr"><<a href="mailto:jskier@gmail.com" target="_blank">jskier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You could also extract payload and packet data and decode it out of<br>
the eve alert logs too. Jeff's suggestion would be more polished and<br>
streamlined, probably the best way to go.<br>
<br>
--<br>
Jeremy MJ<br>
<div class="HOEnZb"><div class="h5"><br>
On Tue, Oct 31, 2017 at 1:07 PM, Jeff Dyke <<a href="mailto:jeff.dyke@gmail.com">jeff.dyke@gmail.com</a>> wrote:<br>
><br>
> Thanks Cooper, that seems like the bit i was missing, as expected it was right in front of me. I'll try that out.<br>
><br>
> Thanks again,<br>
> Jeff<br>
><br>
> On Tue, Oct 31, 2017 at 1:04 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
>><br>
>> Enabled the Unified2 logging and then extract the pcaps with u2boat (ships with snort).<br>
>><br>
>> -Coop<br>
>><br>
>> On 10/31/2017 7:42 AM, Jeff Dyke wrote:<br>
>><br>
>> I've read the docs regarding pcap.log, but was curious if i could log only packets that generate an alert (not a drop). I may have missed something in the eve configuration. It would not be the end of the world to use pcap, but wanted to make sure i wasn't missing something obvious.<br>
>><br>
>> Thanks!<br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>><br>
>> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
>> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
>><br>
>><br>
>> --<br>
>> Cooper Nelson<br>
>> Network Security Analyst<br>
>> UCSD ITS Security Team<br>
>> <a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
</div></div></blockquote></div><br></div>