https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022017-10-07T07:54:21ZOpen Information Security FoundationSuricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=86752017-10-07T07:54:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> set to <i>Anonymous</i></li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=87002017-10-12T16:51:43ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Target version</strong> set to <i>TBD</i></li></ul><p>How do you think such a combination should look like? Or do you just want to use <strong>-r /tmp/foobar</strong> instead of <strong>-r /tmp/foobar/1.pcap</strong>, <strong>-r /tmp/foobar/2.pcap</strong> and so on?</p> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=87122017-10-14T04:06:38ZRalph Broenink
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>How do you think such a combination should look like? Or do you just want to use <strong>-r /tmp/foobar</strong> instead of <strong>-r /tmp/foobar/1.pcap</strong>, <strong>-r /tmp/foobar/2.pcap</strong> and so on?</p>
</blockquote>
<p>I'm thinking more like providing a list of pcaps through the socket, e.g. <code>s.send_command("pcap-files", {"filenames": ["1.pcap","2.pcap"], "output-dirs": ["/1", "/2"]})</code></p>
<p>Multiple output-dirs is something that is needed as long as issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: offline: add pcap file name to EVE (Closed)" href="https://redmine.openinfosecfoundation.org/issues/1386">#1386</a> is not resolved.</p> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=88422017-10-30T11:48:47ZDanny Browning
<ul></ul><p>I believe this PR satisfies this request, but not <a class="external" href="https://redmine.openinfosecfoundation.org/issues/1386">https://redmine.openinfosecfoundation.org/issues/1386</a></p>
<p><a class="external" href="https://github.com/OISF/suricata/pull/2957">https://github.com/OISF/suricata/pull/2957</a></p> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=88442017-10-30T12:04:02ZDanny Browning
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> changed from <i>Anonymous</i> to <i>Danny Browning</i></li></ul><p>Ralph, that PR allows a directory to be specified with multiple files, but suricata state will not be reset between files, and files will be processed in order of modified time.</p>
<p>If you want reset between files with separate output directory, I can do another PR. Looking at a format of</p>
<pre>
{
"command" : "pcap-files",
"arguments" : {
"files" : [
{
"filename" : "path-to-file",
"output-dir" : "path-to-output-directory"
},
...
]
}
}
</pre> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89172017-11-28T10:03:18ZDanny Browning
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/2299">Feature #2299</a>: pcap: read directory with pcaps from the commandline</i> added</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89192017-11-28T10:03:50ZDanny Browning
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/724">Feature #724</a>: Prevent resetting in UNIX socket mode</i> added</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89212017-11-28T10:04:21ZDanny Browning
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/1476">Feature #1476</a>: Suricata Unix socket PCAP processing stats should not need to reset after each run</i> added</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89302017-11-28T13:31:30ZVictor Julienvictor@inliniac.net
<ul><li><strong>Has duplicate</strong> deleted (<i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/724">Feature #724</a>: Prevent resetting in UNIX socket mode</i>)</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89332017-11-28T13:32:00ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/724">Feature #724</a>: Prevent resetting in UNIX socket mode</i> added</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89352017-11-28T13:32:41ZVictor Julienvictor@inliniac.net
<ul><li><strong>Has duplicate</strong> deleted (<i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/1476">Feature #1476</a>: Suricata Unix socket PCAP processing stats should not need to reset after each run</i>)</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89392017-11-28T13:33:28ZVictor Julienvictor@inliniac.net
<ul><li><strong>Has duplicate</strong> deleted (<i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/2299">Feature #2299</a>: pcap: read directory with pcaps from the commandline</i>)</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=89412017-11-28T13:33:38ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/2299">Feature #2299</a>: pcap: read directory with pcaps from the commandline</i> added</li></ul> Suricata - Feature #2222: Batch submission of PCAPs over the sockethttps://redmine.openinfosecfoundation.org/issues/2222?journal_id=91412017-12-11T02:49:37ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>4.1beta1</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/3059">https://github.com/OISF/suricata/pull/3059</a></p>