[Oisf-users] Logging full sessions and HTTP logs concurrently

Anoop Saldanha anoopsaldanha at gmail.com
Thu Sep 19 09:31:35 UTC 2013

On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net> wrote:
> Hash: SHA1
> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>> I googled, but did not find any docs about it.... saw some hits on
>> the sourcecode, but did not dig into them.
>> This is a great feature to have though, and I guess one can use
>> this for a fairly good packet capture and might satisfy the initial
>> request?
> When fixed, this works by pushing the tags into the unified2 records,
> so barnyard2 would have to make pcap files out of that. Not sure how
> to configure by2 for that though.

When tagged packets are logged, what will lwe og as the alert sid in
barnyard hdr, for packets that didn't trigger any alerts?

>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
>> <mailto:lists at inliniac.net>> wrote:
>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>>> https://redmine.openinfosecfoundation.org/issues/120
>>> Snort would be able to do this like:
>>> *alert tcp any <> $HOME_NET any (msg:”GL Log Packet
>>> Evil-IP (gamelinux.org <http://gamelinux.org>
>> <http://gamelinux.org>)”;
>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>> We support this tagging as well, never really benched it.

Anoop Saldanha

More information about the Oisf-users mailing list