[Oisf-users] Considering transitioning from Snort to Suricata questions

Brandon Lattin latt0050 at umn.edu
Mon Feb 8 19:45:17 UTC 2016 

You're probably looking for the 'types' stanza under the eve-logging (json)
component:

      types:
        - alert:
            # payload: yes           # enable dumping payload in Base64
            # payload-printable: yes # enable dumping payload in printable
(lossy) format
            # packet: yes            # enable dumping of packet (without
stream segments)

On Mon, Feb 8, 2016 at 1:36 PM, Jeff H <jeff61225 at gmail.com> wrote:

>
>
> On Sun, Feb 7, 2016 at 12:01 PM, Andreas Herz <andi at geekosphere.org>
> wrote:
>
>>
>> > I am considering looking into switching some of my Snort installs to
>> > Suricata. Are there any guides/documentation/blog posts (official or
>> not)
>> > that are aimed at Snort users interested in Suricata?
>>
>> There is this page in regard to the config:
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Snortconf_to_Suricatayaml
>>
>> And the user guide docs in general should cover all topics, if something
>> special missing, just ask.
>>
>> --
>> Andreas Herz
>>
>
> Hi Andreas,
>
> I think one of the things I am confused about is the logging in Suricata.
> Reading the Suricatayaml documentation (
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml)
> I see the option for pcap logging, but it looks like that logs all traffic,
> not just alerts, is that correct?
>
> What logging options need to be enabled to save a pcap of only the traffic
> that generated an alert? I would like to have that in addition to the eve
> logging (which I think I understand based on the documentation.
>
> Jeff
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/262d65eb/attachment-0002.html>

More information about the Oisf-users mailing list