[Oisf-users] Considering transitioning from Snort to Suricata questions

[elof2 at sentor.se]

Yepp, log to unified2.
Then let barnyard2 process this file.
Configure barnyard2 to use any outputs you need (pcap, ascii, postgres, 
mysql, ...)

/Elof

On Mon, 8 Feb 2016, Duane Howard wrote:

> The closest I've seen to the pcap output you're looking for to enable the
> unified2 output (which you can use barnyard on if you so choose). See this
> section of the yaml:
> https://redmine.openinfosecfoundation.org/attachments/718/suricata.yaml#L55
>
> Also, if we're plugging full pcap solutions, +1 to Steno =)
> https://github.com/google/stenographer
>
> On Mon, Feb 8, 2016 at 1:50 PM, Rob MacGregor <rob.macgregor at gmail.com>
> wrote:
>
>> On Mon, Feb 8, 2016 at 8:33 PM Jeff H <jeff61225 at gmail.com> wrote:
>>
>>> Thanks Brandon, that does seem to be what I'm looking for. So when using
>>> the type alert in eve-logging do all three of those default to yes? Are
>>> individual pcap files created for each alert?
>>>
>>
>> If you're after the full sessions that caused the alert, then you'll need
>> an external packet capture program that gives you a rolling buffer on disk.
>> You can then retrieve the session from that program's archive. If you're on
>> an IPv4 only network then Moloch is pretty sweet, Stenographer is shaping
>> up nicely (AF_PACKET only though) and OpenFPC is worth a look too.
>>
>> The chances are if your existing USM setup provides packet capture, that
>> wasn't done by Snort and the same solution that worked for you there will
>> still work now.
>>
>> --
>>  Rob MacGregor
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>>
>