I’d like to have Suricata monitor a directory where pcap files are delivered then removed (by an external tool, not Suricata) at a certain time interval. I’d like to keep track of any files that Suricata was unable to process because they had been deleted.
Is using a wrapper script which sends pcap files to Suricata with the pcap-file command through sockets (20. Interacting via Unix Socket — Suricata 6.0.2 documentation) a reasonable approach to what I’d like to do? The wrapper script would keep track of skipped files. Is there another way I ought to approach this?
An external tool delivers pcap files to a ram disk directory. The pcap filenames include an epoch datetime value, a count and “stream”. (eg: ...pcap 1622057775.1.0.pcap). The pcap generation tool increases the on each newly generate pcap file.
Another tool removes these pcap files (using the remove system call) after a configurable time interval.
Various custom tools inspect these pcap files in the ram disk directory and generate metadata. They use the number to keep track of whether pcap files are being removed before the tool can process it.
Initially, I tried to have Suricata use the --pcap-file-continuous mode the ram disk directory for pcap files. However, I could not figure out a way for Suricata to keep track of skipped files because it does not understand in the pcap naming scheme above:
suricata --pcap-file-continuous -v -c /etc/suricata/suricata.yaml -r /delay/complete
Thanks for any help!