[Oisf-devel] Feature request: stream logging mode
Victor Julien
victor at inliniac.net
Sun Nov 27 20:15:49 UTC 2011
On 11/27/2011 06:44 PM, Martin Holste wrote:
> I have a request for what I hope would be a big win for a small amount
> of effort: I currently use Vortex (vortex-ids.sourceforge.net) in the
> StreamDB project, and it does one thing and does it well: it
> reassembles TCP streams and logs each stream to a file and writes the
> name of the newly written file to standard out. Unfortunately, it
> reads from the network in a single thread and does not use PF_RING for
> clustering. This means that it can drop streams at around 700 Mb/sec.
>
> Conversely, Suricata is already built to scale to multiple threads.
> If it could have a non-IDS mode that stopped analysis after the stream
> reassembly and wrote the stream to disk while echoing the name of the
> file to standard out, it could provide the same functionality as
> Vortex at a larger scale.
>
> It could theoretically perform both stream logging and IDS functions
> at the same time, but performance may be a factor. If it was able to
> do both, then users would have an invaluable asset: TimeMachine-like
> features in which Suricata could retroactively read in a stream for
> additional analysis context. That would be a much more complex
> feature for the distant future, but this feature would pave the way
> for it.
>
> My hope would be that all of the essential code is already part of
> Suricata, and it would only take a few additional management functions
> and config parsers to allow stream logging to happen.
Can you explain in some detail what Suricata would need to output? I
read on the streamdb site it creates an indexed db and a data file.
Whats the format of each?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list