Actions
Bug #2008
closedSuricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
Affected Versions:
Effort:
Difficulty:
Label:
Description
On CentOS 6.8 with PCRE 7.8 I upgraded from Suricata 3.1-dev to 3.2 and now I cannot start in with pcap-log enabled. I get "Fail to study pcre".
It looks like the PCRE for timestamp_pattern was introduced in https://github.com/inliniac/suricata/commit/bbb93e487e6a4c206b158335128f108c8b08f909#diff-4748a24c4840feb50eb23119ad553bc7
Updated by Jason Ish over 7 years ago
Can you please provide a sample of your pcap-log configuration section?
Updated by Brian Keefer over 7 years ago
- pcap-log:
enabled: yes
dir: pcaps
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 512mb
# If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
max-files: 2000
mode: normal # normal, multi or sguil.
#sguil-base-dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
Updated by Jason Ish over 7 years ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Target version set to 3.2.1
Updated by Brian Keefer over 7 years ago
Fix in https://github.com/jasonish/suricata/commit/884596ef4d62b923fe11ed3d8f810ab9961838a7 resolves it. Thanks!
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed
Actions