[Oisf-users] Considering transitioning from Snort to Suricata questions

Brandon Lattin latt0050 at umn.edu
Mon Feb 8 21:02:06 UTC 2016

They're off by default (if I remember correctly). There are no true pcap
files, just the packet contents represented in whatever format you select
in the json blob.

On Mon, Feb 8, 2016 at 2:32 PM, Jeff H <jeff61225 at gmail.com> wrote:

> On Mon, Feb 8, 2016 at 11:45 AM, Brandon Lattin <latt0050 at umn.edu> wrote:
>> You're probably looking for the 'types' stanza under the eve-logging
>> (json) component:
>>       types:
>>         - alert:
>>             # payload: yes           # enable dumping payload in Base64
>>             # payload-printable: yes # enable dumping payload in
>> printable (lossy) format
>>             # packet: yes            # enable dumping of packet (without
>> stream segments)
>> Thanks Brandon, that does seem to be what I'm looking for. So when using
> the type alert in eve-logging do all three of those default to yes? Are
> individual pcap files created for each alert?
> I can't find this text in any of the documentation.

Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/996a2715/attachment-0002.html>

More information about the Oisf-users mailing list