[Oisf-users] Suricata with multiple pcap files
Tom DeCanio
decanio.tom at gmail.com
Mon Jul 27 17:17:55 UTC 2015
At times I've used suricata with netmap vale. Tcpreplay can be gotten from
github with netmap support. Play tcpreplay into vale with suricata
attached to vale. Comment out the learning code within vale and all works
quite well. I assume this probably works with netmap pipes without having
to hack at netmap, but I've not actually tried that. You can use tcpreplay
to send multiple pcaps.
Tom
On Mon, Jul 27, 2015 at 8:49 AM, Rasmor, Zachary R <
zachary.r.rasmor at lmco.com> wrote:
> Hi,
>
>
>
> I was looking over some of the features for pcap file/offline mode as of
> 2.1beta4. From what I can see, the only way to run multiple pcap files
> through Suricata (without restarting the engine for each file) is to use
> Unix Socket mode – is this understanding correct? Per the –list-runmodes
> option, Unix Socket mode only supports “single” runmode. Are there any
> plans to support workers mode with Unix Socket in the future?
>
>
>
> I also noticed that the –r option supports both the “single” and “autofp”
> runmodes, but this appears to only support providing one pcap file at a
> time. I would like to have the flexibility of supplying an arbitrary number
> of pcap files without restarting Suricata each time, so I wanted to confirm
> that Unix Socket is the only option.
>
>
>
> Thanks,
>
> Zach
>
>
>
> *________________________*
>
> *Zach Rasmor*
>
> Senior Software Engineer
>
> Lockheed Martin CIRT
>
> 700 N Frederick Ave | Gaithersburg, MD 20879
>
> Email: zachary.r.rasmor at lmco.com
>
> Office: 301.240.6116
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150727/ecab7c85/attachment-0002.html>
More information about the Oisf-users
mailing list