Project

General

Profile

Actions

Feature #1476

closed

Suricata Unix socket PCAP processing stats should not need to reset after each run

Added by Marius Ciepluch over 9 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Hi,

I am using suricata with the Unix socket API.
I would like to be able to apply thresholds and limits on a consecutive PCAP file processing on a sensor to limit the alert output for certain signatures.

Here is my workflow:
1.) netsniff-ng puts a 3 GB PCAP to the SAN
2.) the PCAP gets queue'ed via the Unix socket API with suricatasc
3.) this results in suricata generating Syslog and Barnyard2 output
4.) the outputs are not limited or thresholded even though the treshold.conf is configured

I think we can add an option to keep the stats. However for now the suricata engine resets completely after 1 PCAP run. This also is affecting stats.log - we have multiple sessions inside this. This is rather bad actually, because the stats are not meaningful this way.

This is Suricata version 2.0.6 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.3, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.16, linked against LibHTP v0.5.16
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  Prelude support:                         yes
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               yes
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     yes
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

Best,
Marius


Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Feature #724: Prevent resetting in UNIX socket modeClosedDanny Browning01/17/2013Actions
Actions

Also available in: Atom PDF