[Oisf-users] A few questions about logging.

Victor Julien lists at inliniac.net
Mon Aug 4 09:11:00 UTC 2014 

On 07/23/2014 07:11 PM, Cooper F. Nelson wrote:
> I know this may be a tall order, but here goes...
> 
> Would it be possible to add pcap logging for the "worker" runmode that
> does the following?
> 
> 1.  Forwards packets to a virtual interface on the loopback (i.e. lo:1,
> lo:2, etc.), one per worker thread.

In the git master we can do per thread packet logging to separate files,
but forwarding packets to virtual interfaces isn't possible. I guess you
could script this using my lua output branch, but you won't get the
performance you seek as invoking the script(s) for each packet will be
expensive.

> 2.  Honors stream depth and drops SSL traffic past the handshake (like
> the pcap logs).
> 
> 3.  Honors pass rules.  So, the logging would happen after the detect
> process, not before.

Honoring pass rules means not logging packets after a pass rule matched
on a flow? I can add this.

> The idea is that I would like to attach an indexed packet capture
> process to each thread that in turn spools packets to a dedicated disk.

You can write per thread now.

You can also write to separate directories, so if you properly mount
your disks, you can write to separate disks.

In pcap-log, set the mode to 'multi' and filename to something like:

filename: /storage/pcaps/%n/pcap.%t

%n will transform into the thread number (1 - 16 if you have 16
threads). So mount you disks at /storage/pcaps/1, /storage/pcaps/2, etc.

Cheers,
Victor

> -Coop
> 
> On 7/18/2014 6:04 AM, Victor Julien wrote:
>> On 07/16/2014 06:59 PM, Cooper F. Nelson wrote:
>>> Does suricata honor pass rules when exporting JSON and pcap logs?
> 
>> Pass rules only affect detection, not event logging (like HTTP events)
>> or pcap recording.
> 
>>> Can suricata write to a named pipe instead of a file?  I.e., can I
>>> specify a FIFO for the pcap.log file and then monitor it with
>>> another program?
> 
>> For most outputs we support unix sockets, but not for pcap logging.
> 
> 
> 
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list