[Oisf-users] Considering transitioning from Snort to Suricata questions

Jeff H jeff61225 at gmail.com
Mon Feb 8 19:36:40 UTC 2016


On Sun, Feb 7, 2016 at 12:01 PM, Andreas Herz <andi at geekosphere.org> wrote:

>
> > I am considering looking into switching some of my Snort installs to
> > Suricata. Are there any guides/documentation/blog posts (official or not)
> > that are aimed at Snort users interested in Suricata?
>
> There is this page in regard to the config:
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Snortconf_to_Suricatayaml
>
> And the user guide docs in general should cover all topics, if something
> special missing, just ask.
>
> --
> Andreas Herz
>

Hi Andreas,

I think one of the things I am confused about is the logging in Suricata.
Reading the Suricatayaml documentation (
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml)
I see the option for pcap logging, but it looks like that logs all traffic,
not just alerts, is that correct?

What logging options need to be enabled to save a pcap of only the traffic
that generated an alert? I would like to have that in addition to the eve
logging (which I think I understand based on the documentation.

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/3057b9a2/attachment-0002.html>


More information about the Oisf-users mailing list