[Oisf-devel] Feature request: stream logging mode
Martin Holste
mcholste at gmail.com
Mon Nov 28 04:28:09 UTC 2011
> Can you explain in some detail what Suricata would need to output? I
> read on the streamdb site it creates an indexed db and a data file.
> Whats the format of each?
StreamDB takes care of all of the indexes, database work, and
everything not involved with collecting the stream off of the network.
All I need Suricata to do is write the stream buffer to disk with a
file named something like this (Vortex output):
tcp-100243088-1321557507-1321557516-r-9940-10.0.145.126:52589s66.235.132.118:80
$proto-$cnx_id-$start_ts-$end_ts-$term_reason-$bytes-$srcip:$srcport$originator$dstip:$dstport
Then print (or log) the name of the file so that the wrapper script
doesn't have to perform expensive directory listings to find the new
files being created. StreamDB reads the file as written by Suricata,
and appends the data to the current stream file, then writes the file
offset and connection information to the database.
I'm hoping that since Suricata has already organized the data into
streams that this would be an easy win.
More information about the Oisf-devel
mailing list