In UBUNTU 22.04 I use Suricata version 8.0.2 RELEASE running in USER mode.
Suricat is installed with apt install default method.
I use a minimal.yaml file & rules from emerging-all.rules Community
I have 61 pcap files.
If I run sequentially my command on each pcap file it works correctly :
suricata -c minimal.yaml -s emerging-all.rules -r
If I launch the command for all pcap files in my directory with
suricata -c minimal.yaml -s emerging-all.rules -r *.pcap
it fails with the error message :
Error: pcap: bpf compilation error can’t parse filter expression: syntax error for .pcap
Warning: pcap: Failed to init pcap file .pcap, skipping
Error: pcap: pcap file reader thread failed to initialize
If I remove the The .pcap that is the 1rst in the ls -la list, the error will come again with the 2nd of the list …
T test, I checked the ‘time order’ of all my pcaps and I removed all pcap’s with a “$strict” == “False” found with capinfos … but no change it Always fails.
Why I can’t use this syntax ? Is there another way to specify a ‘all pcap files’ ?