[Oisf-users] Getting session data

Charles DeVoe scarecrow_57 at yahoo.com
Fri Nov 21 11:38:02 UTC 2014


Actually, we are only looking for the session data that is associated with the alert generated.   We currently use the debug option and parse the data.  It only gives us the packets associated with that particular event.
      From: Cooper F. Nelson <cnelson at ucsd.edu>
 To: Charles DeVoe <scarecrow_57 at yahoo.com>; "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org> 
 Sent: Wednesday, November 19, 2014 8:55 AM
 Subject: Re: [Oisf-users] Getting session data
   
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is this what you want?

> Packet log (pcap-log)
> With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. This way, you can take a look at all packets whenever you want.
> In the normal mode a pcap file is created in the default-log-dir. It can also be created elsewhere if a absolute path is set in the yaml-file.
> 
> The file that is saved in example the default -log-dir /var/log/suricata, can be be opened with every program which supports the pcap file format. This can be Wireshark, TCPdump, Suricata, Snort and many others.
> 
> The pcap-log option can be enabled and disabled.
> 
> There is a size limit for the pcap-log file that can be set. The default limit is 32 MB. If the log-file reaches this limit, the file will be rotated and a new one will be created.

From: >
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml



On 11/19/2014 3:19 AM, Charles DeVoe wrote:
> When we started this project it was decided that we need the session
> data along with the alert.  Back then we found that the only way we
> could get this was by using the debug output (although there may have
> been another way).  I attempted to install Suricata with prelude support
> and that failed during the ./configure process.
> 
> So to get to the point.  What methods are available for getting session
> data and which is the best?
> 
> "Thank you for your Support"
> Bartyles and James
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUbKFZAAoJEKIFRYQsa8FWYE8H/3AqkQenlRNiv9Y5oNsMcMKb
cnwwhcXam4Uiw8BLeAUUgrI2XqKrMGVZlSa8RQPeMUIy7akjEk0SdSsS+KIW6IUJ
g3re1dKmm3N1tYz7Mxu95Vn+ELBRlVdd6LDZxI6iCIY+gTXspTBpYO3Vy+Q0TX4C
jzYZhp8lTq9szk/39igqFqvyhB+zdRbddxDj0bZOUKYWMOmpgleWTX6KYbAb1FUe
8Ghsv9bMLakpKe0Cj/QtQTaOi9TbPFz84cBqYsiq76PG53Z+tSU/MjEjwupnEXj2
HjH/0dzkXHxAxCKLuqeAgXN9laLAq5lDo0KPoJ/j82aQGASsfni6P/Ja/525ebU=
=6471
-----END PGP SIGNATURE-----




  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141121/6f841b6b/attachment-0002.html>


More information about the Oisf-users mailing list