[Oisf-users] A few questions about logging.
Victor Julien
lists at inliniac.net
Mon Aug 4 14:47:01 UTC 2014
On 08/04/2014 11:11 AM, Victor Julien wrote:
> On 07/23/2014 07:11 PM, Cooper F. Nelson wrote:
>> I know this may be a tall order, but here goes...
>>
>> Would it be possible to add pcap logging for the "worker" runmode that
>> does the following?
>>
>> 1. Forwards packets to a virtual interface on the loopback (i.e. lo:1,
>> lo:2, etc.), one per worker thread.
>
> In the git master we can do per thread packet logging to separate files,
> but forwarding packets to virtual interfaces isn't possible. I guess you
> could script this using my lua output branch, but you won't get the
> performance you seek as invoking the script(s) for each packet will be
> expensive.
>
>> 2. Honors stream depth and drops SSL traffic past the handshake (like
>> the pcap logs).
>>
>> 3. Honors pass rules. So, the logging would happen after the detect
>> process, not before.
>
> Honoring pass rules means not logging packets after a pass rule matched
> on a flow? I can add this.
Added this here https://github.com/inliniac/suricata/pull/1086, care to
test?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list