Hi, I write a wrap program in Python to analyze pcap file in offline mode using command line, suricata -r test.pcap, and use Python to analyze the output logs.
- How to know offline analysis is done and notify Python which can parse logs? (Suricata is invoked in cmdline)
- Is there a way for Suricata to transmit logs via socket API to another machine? In .yaml, there are a few options such as local socket, local file and Redis.
Have a look at https://suricata.readthedocs.io/en/latest/manpages/suricatasc.html#pcap-mode-commands for working with Suricata in pcap mode.
suricatasc is a python program so you can import the libraries it uses in your own application.
Logging to file and then moving the files sounds easier than dealing with sockets.
Not built-in or provided as that is often specific to an implementation. You could log to syslog and have your syslog forward to a remote machine. Or if you are integrating with Elastic, you could look at Logstash and Filebeat. Or as it sounds like you are processing offline pcaps, perhaps scp is enough?
If it’s just run once with each pcap, you can just wait for the process to end. That’s how I do it in a small script.