[Oisf-users] A few questions about logging.

Cooper F. Nelson cnelson at ucsd.edu
Mon Aug 4 20:03:25 UTC 2014

Hash: SHA1

On 8/4/2014 7:47 AM, Victor Julien wrote:
> Added this here https://github.com/inliniac/suricata/pull/1086, care to
> test?

Well, I ran into a bit of a snag.  I don't actually have fast enough
storage (or enough disks) to properly test this.  My rationale was I
would put in the request first and if it made it into production it
would influence future hardware purchases.

So what I did instead was to try writing to named pipes, as I mentioned
earlier.  So I did this:

for i in $(seq 1 16); do mkfifo /var/log/pcap/$i.pcap; done

...and tried this config:

>   - pcap-log:
>       enabled: yes
>       dir: /var/log/pcap
>       filename: /%n.pcap
>       filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>       # File size limit.  Can be specified in kb, mb, gb.  Just a number
>       # is parsed as bytes.
>       #limit: 64mb
>       # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
>       #max-files: 1000
>       mode: multi # normal or sguil.
>       #sguil-base-dir: /nsm_data/
>       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
>       use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
>       honor-pass-rules: yes

This sort of worked in that I could get a bit of data out of the named
pipes, but suricata would then wedge and stop processing packets.  I
tried all the different filetypes, nothing worked as expected.

It could be I don't understand something about named pipes on linux, as
I don't have much experience using them.  Is it possible given that the
named pipes are 0 bytes in size that suricata gets confused trying to
monitor them?

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list