Feature #2421
closedadd system mode and user mode
Added by Richard Sailer almost 7 years ago. Updated over 5 years ago.
Description
Add distinction between system and user modes, where the normal IDS modes are system modes, but the offline pcap runmodes are not.
For the user mode, the default log dir should be ignored and the current work dir should be used instead.
Updated by Victor Julien almost 7 years ago
Some tools make a distinction between a 'user mode' and a 'system mode'. Perhaps something similar would make sense here. The regular IDS/IPS modes would count as 'system modes' where the default log location (e.g. /var/log/suricata) makes sense. A user processing a pcap file would count as a 'user mode' where the output should probably go to another location. Perhaps there it would make sense to write output to the CWD (iirc Bro does this).
Updated by Jason Ish almost 7 years ago
I like what Victor is suggesting. Perhaps for pcaps the default log directory should be "." regardless of whats in the config file. Even if running as root, you wouldn't want to clobber the default log directory if Suricata is running as a daemon.
I more often than not do something like "-l ." or "-l ./log" when using pcaps.
Updated by Richard Sailer almost 7 years ago
I also think a distinction between 'user mode' and 'system mode' would make sense.
But this opens a new question: How fundamental should that distinction be and how exactly should it manifest?
Like:
- Would it make sense to have a own user interface (like a wrapper script) with a own manpage for the 'user mode' usage
(This could add/consolidate more 'user mode like' features into this script, and give nicer usability)
- Would it make sense to have a own (small) chapter in the user guide for "user mode usage" of suricata.
Updated by Victor Julien almost 7 years ago
We could simply make it part of the 'runmodes' logic (e.g. see ./src/suricata --list-runmodes). A runmode could register if it is a system mode or a user mode.
Updated by Danny Browning over 6 years ago
Maybe just a --daemon or --server option?
Uses /var/log, enables unix socket, turns on capture, etc. Config would still take priority, but if not set, has default behavior. Thinking a flag like that would be useful for things like state serialization and log rolling, without needing them specified.
Updated by Victor Julien over 6 years ago
- Assignee changed from Richard Sailer to OISF Dev
This 'server mode' is implied with the 'live' runmodes, so not sure we need an option for it. '-r' with that option wouldn't make sense anyway.
Updated by Victor Julien about 6 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to low
- Difficulty set to low
Updated by Victor Julien over 5 years ago
- Subject changed from Warn user if -r (pcap offline mode) is used with default log dir to add system mode and user mode
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Victor Julien
- Target version changed from TBD to 5.0beta1
- Effort deleted (
low) - Difficulty deleted (
low)
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed