[Oisf-users] Considering transitioning from Snort to Suricata questions

Rob MacGregor rob.macgregor at gmail.com
Mon Feb 8 21:50:49 UTC 2016

On Mon, Feb 8, 2016 at 8:33 PM Jeff H <jeff61225 at gmail.com> wrote:

> Thanks Brandon, that does seem to be what I'm looking for. So when using
> the type alert in eve-logging do all three of those default to yes? Are
> individual pcap files created for each alert?

If you're after the full sessions that caused the alert, then you'll need
an external packet capture program that gives you a rolling buffer on disk.
You can then retrieve the session from that program's archive. If you're on
an IPv4 only network then Moloch is pretty sweet, Stenographer is shaping
up nicely (AF_PACKET only though) and OpenFPC is worth a look too.

The chances are if your existing USM setup provides packet capture, that
wasn't done by Snort and the same solution that worked for you there will
still work now.

 Rob MacGregor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/9092d17e/attachment-0002.html>

More information about the Oisf-users mailing list