[Oisf-devel] Feature request: stream logging mode

[Martin Holste]

I have a request for what I hope would be a big win for a small amount
of effort:  I currently use Vortex (vortex-ids.sourceforge.net) in the
StreamDB project, and it does one thing and does it well: it
reassembles TCP streams and logs each stream to a file and writes the
name of the newly written file to standard out.  Unfortunately, it
reads from the network in a single thread and does not use PF_RING for
clustering.  This means that it can drop streams at around 700 Mb/sec.

Conversely, Suricata is already built to scale to multiple threads.
If it could have a non-IDS mode that stopped analysis after the stream
reassembly and wrote the stream to disk while echoing the name of the
file to standard out, it could provide the same functionality as
Vortex at a larger scale.

It could theoretically perform both stream logging and IDS functions
at the same time, but performance may be a factor.  If it was able to
do both, then users would have an invaluable asset: TimeMachine-like
features in which Suricata could retroactively read in a stream for
additional analysis context.  That would be a much more complex
feature for the distant future, but this feature would pave the way
for it.

My hope would be that all of the essential code is already part of
Suricata, and it would only take a few additional management functions
and config parsers to allow stream logging to happen.