[Oisf-users] A few questions about logging.
Cooper F. Nelson
cnelson at ucsd.edu
Tue Aug 5 19:30:45 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I tried setting up a bunch of 'cat' listeners that redirected to
/dev/null as a test, but most of them terminated almost immediately
after starting suricata. I suspect the internal buffers aren't big
enough for the amount of data the suricata threads are producing.
Doing some googling it looks like the "dummy" network interface is what
would probably work the best for doing raw packet IPC with suricata:
http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Dummy_Interface
The idea would be set virtual interfaces on the dummy device as such:
ifconfig dummy0:1
ifconfig dummy0:2
ifconfig dummy0:3
... and then write the post-processed raw packets to the virtual
interfaces, one per thread. Unless I'm missing something this should be
a workable solution, but as we have seen I tend to miss things!
- -Coop
On 8/5/2014 4:21 AM, Victor Julien wrote:
> On 08/05/2014 05:32 AM, Cooper F. Nelson wrote:
>> Yup, I don't understand named pipes. You need to attach the consumer
>> process to all the pipes first before starting suricata, otherwise it
>> will block the process.
>
> So did you find a way to make it work?
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJT4TDlAAoJEKIFRYQsa8FWLjMIALpOqei7ifCdxxe56DV/dER2
ynka5DNl7ebKVPItkHJZYyhcz9SPWz8U+4kkeYmRZ0QF5Mv4neWITOK+99Dka2nM
hDn0otrlPHO1XLkG7+UnbX2b0cu5nGmv8cUILyCb5EfLBXOLe6AFlsMjrm906ArN
D+F4kXZcTfbhlZ51CWwG2efczIrP7UZL89YYOb4SVCfh5WYrrPKFe/OW2jTO6avu
KxvzTQXqYim1D3Gb9+6So4hLjF8DaqWW6qjfDMkDD6VlUl90Ut8kXmQgqrchBn3q
i3ROr2YA5ok2ts7XM7Ew0dz761AEE96I96R87ZcTxP2SPRJR/Ubevr9wvJnSbpI=
=pmhG
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list