[Oisf-users] Suricata 1.4, ability to specify a new custom log or see a log of DNS and ARP requests?

Victor Julien lists at inliniac.net
Thu Mar 14 16:48:08 UTC 2013

On 02/25/2013 08:49 PM, Vincent Fang wrote:
> So I see there are a bunch of preset logs like one for tcp pcap and one
> for the alerts, fast.log, and one for http custom logging. 
> One of the things I want to see is a log of DNS and ARP requests and
> responses, and I'm wondering if this is currently possible or should I
> just examine the tcp.pcap logs instead.

Non of those exist now. DNS parser and logger is in the works. ARP
isn't. Shouldn't be hard, might be a nice project for someone that wants
to get familiar with suricata development.

> But then I started thinking that different users will only care about
> different things so maybe it would be more modular to allow a way for
> Suricata.yaml to let users specify the number of logs they want Suricata
> to produce each with a custom format of data they care about? Is this
> possible with Suricata or will this need to be a feature request? Also
> does it make sense to add this kind of feature?

This would be nice, but non-trivial right now. To support something like
this we would have to somehow create keys for each field suricata has
access to/knowledge of. Then you could use these in such a custom log.
Like I said non-trivial, so not likely to happen anytime soon. Feel free
to open a feature request though.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list