Skip to content

improve efficiency of Suricata processing uploaded PCAP files #457

New issue
New issue
Closed
Feature
Closed
improve efficiency of Suricata processing uploaded PCAP files#457
Feature
Assignees
mmguerojjrush
Labels
performanceRelated to speed/performancesuricataRelating to Malcolm's use of SuricatauploadRelating to PCAP and/or Zeek log ingestion
Milestone
v25.02.0
@mmguero

Description

@mmguero
mmguero
opened on Nov 5, 2024

@mmguero cloned issue idaholab/Malcolm#325 on 2024-01-08:

Currently as uploaded PCAP files are processed, each PCAP file results in a new suricata process for that PCAP file.

This is the same behavior for Zeek and Arkime capture; however, suricata seems to have more overhead (I often notice that suricata is still running on a batch of uploaded PCAP files long after the others are done).

I came across this thread describing using suricata socket control to send PCAP files to a single long-running suricata process, then output each eve.json to a different directory per-PCAP. This would be an improvement.

Metadata

Metadata

Assignees

Labels

performanceRelated to speed/performancesuricataRelating to Malcolm's use of SuricatauploadRelating to PCAP and/or Zeek log ingestion

Type

Feature

Projects

Malcolm

Status

Released

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions