[Oisf-users] A few questions about logging.

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 23 17:11:55 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Victor!

I know this may be a tall order, but here goes...

Would it be possible to add pcap logging for the "worker" runmode that
does the following?

1.  Forwards packets to a virtual interface on the loopback (i.e. lo:1,
lo:2, etc.), one per worker thread.

2.  Honors stream depth and drops SSL traffic past the handshake (like
the pcap logs).

3.  Honors pass rules.  So, the logging would happen after the detect
process, not before.

The idea is that I would like to attach an indexed packet capture
process to each thread that in turn spools packets to a dedicated disk.

- -Coop

On 7/18/2014 6:04 AM, Victor Julien wrote:
> On 07/16/2014 06:59 PM, Cooper F. Nelson wrote:
>> Does suricata honor pass rules when exporting JSON and pcap logs?
> 
> Pass rules only affect detection, not event logging (like HTTP events)
> or pcap recording.
> 
>> Can suricata write to a named pipe instead of a file?  I.e., can I 
>> specify a FIFO for the pcap.log file and then monitor it with
>> another program?
> 
> For most outputs we support unix sockets, but not for pcap logging.
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTz+zbAAoJEKIFRYQsa8FWQtsH/RfHiZzPsBwtZnYZMElVWYi5
FZqKMfYF7JnpB4nqWG9wHl2oda3FQLMXRtTYs3lDMz/a1Q4Rgkj3aaUqvxmoh9FK
8fLvRDowy5B+nit7LJYdnVhoR1prdzGi9FUJmi+/B4EzNd3kK6zPE9+0D2BlFpcH
snrUunbt+0yJi9r2JQf/dxLRAfgsQ1QLYoY1MPW0JQXAW7i0kTDLfEloojAWahwk
Dhr6WMwW2ZMnYayz1U6jDWFjqBUZj/sRKJscpriBRsGB/t+O9CzcXpexECzbGwVo
+R7HoUe9z/IfhtnmYNH2ywffKd7cTLJQeN9Z+ytFmYTUs4UCw42HfEVkySV9cNY=
=XTQ1
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list