[Oisf-users] Flow updates

Cooper F. Nelson cnelson at ucsd.edu
Mon Dec 7 18:40:27 UTC 2015

Hash: SHA1

I would think it would be easiest to just use a separate program to do
the packet logging, vs. modifying suricata.

You should be able to run something like daemonlogger or bro's
timemachine on the same hardware if it isn't oversubscribed.

- -Coop

On 12/7/2015 5:31 AM, Michael da Silva Pereira wrote:
> Good day,
> I've been messing around with the flows in suricata2.1+ and I've come
> across a potential requirement I would need it to do.
> Currently it seems flows are only written out on connection
> close/timeout, is this modifiable to include a update, or specific
> interval of traffic to send a updated flow (ie, reason = update).
> My issue is that I might have a flow last several hours on a stable
> connection, and can only account for the traffic once the flow is closed.
> I've had a look at the source code, however my C is very limited and I
> can't work out what's actually writing out the flow records for the
> flow-manager.
> Any help would be appreciated.
> Thanks,
> Michael 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list