[Oisf-devel] Suricata fastlog [pcap file packet:]
Victor Julien
victor at inliniac.net
Thu Nov 14 10:53:12 UTC 2013
On 11/11/2013 09:07 PM, Kenneth Steele wrote:
> When Suricata processes packets from a pcap file, some alerts in the
> fast.log output have “[pcap file packet: NNNN]” appended, where NNNN is
> the packet number from the pcap file.
>
> This makes the fast.log file generated by Suricata running from live
> traffic and from pcap files different. Is this additional information
> useful?
It's useful to rule writers I think. Although the alert-debug log is
meant for this as well.
I don't know if anyone is relying on this, so I'd rather not remove it.
If you want to make it optional (enabled by default), I'd be happy to
accept a patch.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list