[Oisf-users] Considering transitioning from Snort to Suricata questions
Duane Howard
duane.security at gmail.com
Tue Feb 9 00:07:14 UTC 2016
The closest I've seen to the pcap output you're looking for to enable the
unified2 output (which you can use barnyard on if you so choose). See this
section of the yaml:
https://redmine.openinfosecfoundation.org/attachments/718/suricata.yaml#L55
Also, if we're plugging full pcap solutions, +1 to Steno =)
https://github.com/google/stenographer
On Mon, Feb 8, 2016 at 1:50 PM, Rob MacGregor <rob.macgregor at gmail.com>
wrote:
> On Mon, Feb 8, 2016 at 8:33 PM Jeff H <jeff61225 at gmail.com> wrote:
>
>> Thanks Brandon, that does seem to be what I'm looking for. So when using
>> the type alert in eve-logging do all three of those default to yes? Are
>> individual pcap files created for each alert?
>>
>
> If you're after the full sessions that caused the alert, then you'll need
> an external packet capture program that gives you a rolling buffer on disk.
> You can then retrieve the session from that program's archive. If you're on
> an IPv4 only network then Moloch is pretty sweet, Stenographer is shaping
> up nicely (AF_PACKET only though) and OpenFPC is worth a look too.
>
> The chances are if your existing USM setup provides packet capture, that
> wasn't done by Snort and the same solution that worked for you there will
> still work now.
>
> --
> Rob MacGregor
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/bdccfad7/attachment-0002.html>
More information about the Oisf-users
mailing list