Project

General

Profile

Actions
Copy link

Bug #2008

closed
BK JI

Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE

Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE

Added by Brian Keefer over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
High
Assignee:
Jason Ish
Target version:
3.2.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

On CentOS 6.8 with PCRE 7.8 I upgraded from Suricata 3.1-dev to 3.2 and now I cannot start in with pcap-log enabled. I get "Fail to study pcre".

It looks like the PCRE for timestamp_pattern was introduced in https://github.com/inliniac/suricata/commit/bbb93e487e6a4c206b158335128f108c8b08f909#diff-4748a24c4840feb50eb23119ad553bc7

JI Updated by Jason Ish over 9 years ago Actions
Copy link
 #1

Can you please provide a sample of your pcap-log configuration section?

BK Updated by Brian Keefer over 9 years ago Actions
Copy link
 #2 

 - pcap-log:
     enabled:  yes
     dir: pcaps
     filename: log.pcap

     # File size limit.  Can be specified in kb, mb, gb.  Just a number
     # is parsed as bytes.
     limit: 512mb

     # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 
     max-files: 2000

     mode: normal # normal, multi or sguil.
     #sguil-base-dir: /nsm_data/
     #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
     use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
     honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

JI Updated by Jason Ish over 9 years ago Actions
Copy link
 #3

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.2.1
Actions
Copy link

Also available in: PDF Atom