[Oisf-users] Flow updates
Cooper F. Nelson
cnelson at ucsd.edu
Mon Dec 7 18:40:27 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would think it would be easiest to just use a separate program to do
the packet logging, vs. modifying suricata.
You should be able to run something like daemonlogger or bro's
timemachine on the same hardware if it isn't oversubscribed.
- -Coop
On 12/7/2015 5:31 AM, Michael da Silva Pereira wrote:
> Good day,
>
> I've been messing around with the flows in suricata2.1+ and I've come
> across a potential requirement I would need it to do.
>
> Currently it seems flows are only written out on connection
> close/timeout, is this modifiable to include a update, or specific
> interval of traffic to send a updated flow (ie, reason = update).
>
> My issue is that I might have a flow last several hours on a stable
> connection, and can only account for the traffic once the flow is closed.
>
> I've had a look at the source code, however my C is very limited and I
> can't work out what's actually writing out the flow records for the
> flow-manager.
>
> Any help would be appreciated.
>
> Thanks,
> Michael
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWZdKbAAoJEKIFRYQsa8FWh0EIAMEesrYW31U2D+msGOg4U2U/
8gqnKP8NRX69kFtDAJX9TyRDMx3rj+QRHvFjuC5npR68XK5ZBT6GsOWB7eqnSxqj
yyDekPJZfE92lRd5icp0P2bmA2ymhNQ5OSrEepMWrxfPAZ9lbdrbMoe8QM5YLghh
gVdri5V1y9uqwsBedFSzZhchgqCzlKjEZI+QeflTvxpBddpTPIuql3hsS4uuHDhJ
/bkyfFa6zYmiV/7+NQoGHzvGQinu5gieLXD38zowSTgMkFW+dw0WJaDg+VgHTOHX
zu6noCpeCrzypJgH1qG+t/THqcU0C1vHVrJEhK0HkO3dSMjCkku3TZzHep547oM=
=sQih
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list