Project

General

Profile

Actions

Feature #552

closed

Feature #571: interactive unix socket

State Reset for multiple pcap processing

Added by Matt Jonkman over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Would it be possible to have a signal that would cause suricata to reset it's flowbits, flowint's, and threshold counters?

The intent is to be able to have a running suricata instance that could be fed traffic from many disparate pcaps for analysis, but not let data or state from one affect the next.

Ideally an event to log this would be useful so post analysis knows the division between pcaps.

Or, if easier, if we could change pcap mode to be able to take a list of pcaps in, and reset between each pcap (as an option, this wouldn't be ideal every time).

Actions

Also available in: Atom PDF