Feature #2222
closedBatch submission of PCAPs over the socket
Description
Currently, it is only possible to send a single PCAP file to the socket. A method to send a list of (pcap, output-dir)-combinations would be very helpful to reduce the amount of messages of the socket.
Updated by Andreas Herz over 7 years ago
- Target version set to TBD
How do you think such a combination should look like? Or do you just want to use -r /tmp/foobar instead of -r /tmp/foobar/1.pcap, -r /tmp/foobar/2.pcap and so on?
Updated by Ralph Broenink over 7 years ago
Andreas Herz wrote:
How do you think such a combination should look like? Or do you just want to use -r /tmp/foobar instead of -r /tmp/foobar/1.pcap, -r /tmp/foobar/2.pcap and so on?
I'm thinking more like providing a list of pcaps through the socket, e.g. s.send_command("pcap-files", {"filenames": ["1.pcap","2.pcap"], "output-dirs": ["/1", "/2"]})
Multiple output-dirs is something that is needed as long as issue #1386 is not resolved.
Updated by Danny Browning over 7 years ago
I believe this PR satisfies this request, but not https://redmine.openinfosecfoundation.org/issues/1386
Updated by Danny Browning over 7 years ago
- Status changed from New to Feedback
- Assignee changed from Anonymous to Danny Browning
Ralph, that PR allows a directory to be specified with multiple files, but suricata state will not be reset between files, and files will be processed in order of modified time.
If you want reset between files with separate output directory, I can do another PR. Looking at a format of
{
"command" : "pcap-files",
"arguments" : {
"files" : [
{
"filename" : "path-to-file",
"output-dir" : "path-to-output-directory"
},
...
]
}
}
Updated by Victor Julien over 7 years ago
- Status changed from Feedback to Closed
- Target version changed from TBD to 4.1beta1