[Oisf-users] Processing offline pcap files with suricata

Eric Leblond eric at regit.org
Mon Oct 6 14:07:25 UTC 2014 

Hi,


On Mon, 2014-10-06 at 14:04 +0000, C. L. Martinez wrote:
> Hi all,
> 
>  Sorry for the stupid question but if I remember well suricata can
> process offline pcap files. I have tried with "-r" switch without
> luck, returns the following error:
> 
> 6/10/2014 -- 13:42:24 - <Info> - 18 rule files processed. 13253 rules
> successfully loaded, 0 rules failed
> 6/10/2014 -- 13:42:48 - <Info> - 13253 signatures processed. 748 are
> IP-only rules, 3713 are inspecting packet payload, 11179 inspect
> application layer, 0 are decoder event only
> 6/10/2014 -- 13:42:48 - <Info> - building signature grouping
> structure, stage 1: adding signatures to signature source addresses...
> complete
> 6/10/2014 -- 13:42:48 - <Info> - building signature grouping
> structure, stage 2: building source address list... complete
> 6/10/2014 -- 13:43:07 - <Info> - building signature grouping
> structure, stage 3: building destination address lists... complete
> 6/10/2014 -- 13:43:07 - <Info> - Registered 13253 rule profiling counters.
> 6/10/2014 -- 13:43:07 - <Info> - Threshold config parsed: 4 rule(s) found
> 6/10/2014 -- 13:43:07 - <Info> - Max dump is 0
> 6/10/2014 -- 13:43:07 - <Info> - Core dump setting attempted is 0
> 6/10/2014 -- 13:43:07 - <Info> - Core dump size set to 0
> 6/10/2014 -- 13:43:07 - <Info> - fast output device (regular)
> initialized: fast.log
> 6/10/2014 -- 13:43:07 - <Info> - Unified2-alert initialized: filename
> unified2.alert, limit 5 MB
> 6/10/2014 -- 13:43:07 - <Error> - [ERRCODE: SC_ERR_RUNMODE(187)] - The
> custom type "workers" doesn't exist for this runmode type "PCAP_FILE".
> Please use --list-runmodes to see available custom types for this
> runmode
> 
> Suricata release is 1.4.7 (yes I know, I need to upgrade to 2.0.x).
> What am I doing wrong?

You are using runmode workers which is not available for pcap because
you can't read simultaneously a pcap file from different threads. Try
"--runmode autofp" or fix you yaml.

BR,

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

-- 
Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list