Can we add an expire variable in the pcap-log settings?

shell_xu · March 24, 2024, 7:06am

Hi, Suricata Team:
Can we add an expire variable in the pcap-log settings? If the PCAP hasn’t reached the storage size limit, but meets the expire requirement, Suricata will record subsequent alerts in a new PCAP.

  - pcap-log:
      enabled: yes
      filename: log-%n-%t.pcap

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 10mb
      
      # File expiration limit. Can be specified in sec, min, or hour.
      expire: 60sec

      # If set to a value, ring buffer mode is enabled. Will keep maximum of
      # "max-files" of size "limit"
      max-files: 1000

vjulien · March 25, 2024, 11:55am

It’s not implemented.

Topic		Replies	Views
Suricata crashes when suricata.yaml setting max-file to 1 in pcap-log config Help suricata	4	331	September 13, 2023
Pcap-Log filename Help	1	520	January 30, 2021
Conditional pcap-log fails to log packets for some alerts when using "pcap-file-continuous" flag Help suricata	7	1105	July 31, 2023
Conditional PCAP may not log packets for all alerts	1	642	April 29, 2023
Conditional pcap-log max flow size/length	6	782	February 28, 2023

Can we add an expire variable in the pcap-log settings?

Related topics