[Oisf-users] Processing offline pcap files with suricata
C. L. Martinez
carlopmart at gmail.com
Mon Oct 6 14:14:57 UTC 2014
On Mon, Oct 6, 2014 at 2:07 PM, Eric Leblond <eric at regit.org> wrote:
> Hi,
>
>
> On Mon, 2014-10-06 at 14:04 +0000, C. L. Martinez wrote:
>> Hi all,
>>
>> Sorry for the stupid question but if I remember well suricata can
>> process offline pcap files. I have tried with "-r" switch without
>> luck, returns the following error:
>>
>> 6/10/2014 -- 13:42:24 - <Info> - 18 rule files processed. 13253 rules
>> successfully loaded, 0 rules failed
>> 6/10/2014 -- 13:42:48 - <Info> - 13253 signatures processed. 748 are
>> IP-only rules, 3713 are inspecting packet payload, 11179 inspect
>> application layer, 0 are decoder event only
>> 6/10/2014 -- 13:42:48 - <Info> - building signature grouping
>> structure, stage 1: adding signatures to signature source addresses...
>> complete
>> 6/10/2014 -- 13:42:48 - <Info> - building signature grouping
>> structure, stage 2: building source address list... complete
>> 6/10/2014 -- 13:43:07 - <Info> - building signature grouping
>> structure, stage 3: building destination address lists... complete
>> 6/10/2014 -- 13:43:07 - <Info> - Registered 13253 rule profiling counters.
>> 6/10/2014 -- 13:43:07 - <Info> - Threshold config parsed: 4 rule(s) found
>> 6/10/2014 -- 13:43:07 - <Info> - Max dump is 0
>> 6/10/2014 -- 13:43:07 - <Info> - Core dump setting attempted is 0
>> 6/10/2014 -- 13:43:07 - <Info> - Core dump size set to 0
>> 6/10/2014 -- 13:43:07 - <Info> - fast output device (regular)
>> initialized: fast.log
>> 6/10/2014 -- 13:43:07 - <Info> - Unified2-alert initialized: filename
>> unified2.alert, limit 5 MB
>> 6/10/2014 -- 13:43:07 - <Error> - [ERRCODE: SC_ERR_RUNMODE(187)] - The
>> custom type "workers" doesn't exist for this runmode type "PCAP_FILE".
>> Please use --list-runmodes to see available custom types for this
>> runmode
>>
>> Suricata release is 1.4.7 (yes I know, I need to upgrade to 2.0.x).
>> What am I doing wrong?
>
> You are using runmode workers which is not available for pcap because
> you can't read simultaneously a pcap file from different threads. Try
> "--runmode autofp" or fix you yaml.
>
> BR,
Yep, many thanks Eric. It works.
More information about the Oisf-users
mailing list