Project

General

Profile

Actions

Bug #2008

closed

Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE

Added by Brian Keefer almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

On CentOS 6.8 with PCRE 7.8 I upgraded from Suricata 3.1-dev to 3.2 and now I cannot start in with pcap-log enabled. I get "Fail to study pcre".

It looks like the PCRE for timestamp_pattern was introduced in https://github.com/inliniac/suricata/commit/bbb93e487e6a4c206b158335128f108c8b08f909#diff-4748a24c4840feb50eb23119ad553bc7

Actions #1

Updated by Jason Ish almost 5 years ago

Can you please provide a sample of your pcap-log configuration section?

Actions #2

Updated by Brian Keefer almost 5 years ago

 - pcap-log:
     enabled:  yes
     dir: pcaps
     filename: log.pcap

     # File size limit.  Can be specified in kb, mb, gb.  Just a number
     # is parsed as bytes.
     limit: 512mb

     # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 
     max-files: 2000

     mode: normal # normal, multi or sguil.
     #sguil-base-dir: /nsm_data/
     #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
     use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
     honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
Actions #3

Updated by Jason Ish almost 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.2.1
Actions

Also available in: Atom PDF