[Oisf-users] Logging full sessions and HTTP logs concurrently
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Sep 19 09:31:35 UTC 2013
On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>> I googled, but did not find any docs about it.... saw some hits on
>> the sourcecode, but did not dig into them.
>>
>> This is a great feature to have though, and I guess one can use
>> this for a fairly good packet capture and might satisfy the initial
>> request?
>
> When fixed, this works by pushing the tags into the unified2 records,
> so barnyard2 would have to make pcap files out of that. Not sure how
> to configure by2 for that though.
>
When tagged packets are logged, what will lwe og as the alert sid in
barnyard hdr, for packets that didn't trigger any alerts?
>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
>> <mailto:lists at inliniac.net>> wrote:
>>
>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>>> https://redmine.openinfosecfoundation.org/issues/120
>>
>>> Snort would be able to do this like:
>>
>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
>> <http://gamelinux.org>)”;
>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>>
>> We support this tagging as well, never really benched it.
>>
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list