[Oisf-users] Logging full sessions and HTTP logs concurrently

Victor Julien lists at inliniac.net
Thu Sep 19 09:28:12 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
> I googled, but did not find any docs about it.... saw some hits on
> the sourcecode, but did not dig into them.
> 
> This is a great feature to have though, and I guess one can use
> this for a fairly good packet capture and might satisfy the initial
> request?

When fixed, this works by pushing the tags into the unified2 records,
so barnyard2 would have to make pcap files out of that. Not sure how
to configure by2 for that though.

> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net 
> <mailto:lists at inliniac.net>> wrote:
> 
> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>> https://redmine.openinfosecfoundation.org/issues/120
> 
>> Snort would be able to do this like:
> 
>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet 
>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
> <http://gamelinux.org>)”;
>> flags:S; tag:session,1000,bytes,100,seconds,0,packets; 
>> classtype:trojan-activity; sid:201102011; rev:1;)*
> 
> We support this tagging as well, never really benched it.
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org 
> <mailto:oisf-users at openinfosecfoundation.org> Site:
> http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/ List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> 
OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> 
> -- Edward Bjarte Fjellskål Senior Security Analyst 
> http://www.gamelinux.org/

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI6w6wACgkQiSMBBAuniMcIMACfZ977gWV/L9gvoQ9f0/PRh+C/
6SwAn3wzVSjXhK8X9H8YIlIJYxx2sJf7
=hOiS
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list