Project

General

Profile

Actions

Feature #2421

closed

add system mode and user mode

Added by Richard Sailer almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Add distinction between system and user modes, where the normal IDS modes are system modes, but the offline pcap runmodes are not.

For the user mode, the default log dir should be ignored and the current work dir should be used instead.

Actions #1

Updated by Andreas Herz almost 5 years ago

  • Target version set to TBD
Actions #2

Updated by Victor Julien almost 5 years ago

Some tools make a distinction between a 'user mode' and a 'system mode'. Perhaps something similar would make sense here. The regular IDS/IPS modes would count as 'system modes' where the default log location (e.g. /var/log/suricata) makes sense. A user processing a pcap file would count as a 'user mode' where the output should probably go to another location. Perhaps there it would make sense to write output to the CWD (iirc Bro does this).

Actions #3

Updated by Jason Ish almost 5 years ago

I like what Victor is suggesting. Perhaps for pcaps the default log directory should be "." regardless of whats in the config file. Even if running as root, you wouldn't want to clobber the default log directory if Suricata is running as a daemon.

I more often than not do something like "-l ." or "-l ./log" when using pcaps.

Actions #4

Updated by Richard Sailer almost 5 years ago

I also think a distinction between 'user mode' and 'system mode' would make sense.

But this opens a new question: How fundamental should that distinction be and how exactly should it manifest?
Like:

  • Would it make sense to have a own user interface (like a wrapper script) with a own manpage for the 'user mode' usage
    (This could add/consolidate more 'user mode like' features into this script, and give nicer usability)
  • Would it make sense to have a own (small) chapter in the user guide for "user mode usage" of suricata.
Actions #5

Updated by Victor Julien almost 5 years ago

We could simply make it part of the 'runmodes' logic (e.g. see ./src/suricata --list-runmodes). A runmode could register if it is a system mode or a user mode.

Actions #6

Updated by Danny Browning over 4 years ago

Maybe just a --daemon or --server option?

Uses /var/log, enables unix socket, turns on capture, etc. Config would still take priority, but if not set, has default behavior. Thinking a flag like that would be useful for things like state serialization and log rolling, without needing them specified.

Actions #7

Updated by Victor Julien over 4 years ago

  • Assignee changed from Richard Sailer to OISF Dev

This 'server mode' is implied with the 'live' runmodes, so not sure we need an option for it. '-r' with that option wouldn't make sense anyway.

Actions #8

Updated by Victor Julien about 4 years ago

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to low
  • Difficulty set to low
Actions #9

Updated by Andreas Herz almost 4 years ago

  • Assignee set to Community Ticket
Actions #10

Updated by Victor Julien over 3 years ago

  • Subject changed from Warn user if -r (pcap offline mode) is used with default log dir to add system mode and user mode
  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Victor Julien
  • Target version changed from TBD to 5.0beta1
  • Effort deleted (low)
  • Difficulty deleted (low)
Actions #11

Updated by Victor Julien over 3 years ago

  • Description updated (diff)
Actions #12

Updated by Victor Julien over 3 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF