rule2alert icon indicating copy to clipboard operation
rule2alert copied to clipboard

Published 20 hours ago verified publisher icon pevma

pcap not being created

Open richrumble opened this issue 10 years ago • 7 comments

python r2a.py -C /etc/suricata/suricata-debian.yaml -f rules/emerging-all.rules -e 1.2.3.4 -m 10.0.0.123 -w test.pcap -v using Linux Mint python-yaml, python-scapy are installed. Python 2.7.6 is installed. Output errors from the above command can be found here: http://justpaste.it/obsk

richrumble avatar Oct 15 '15 12:10 richrumble

Does it make the rule/pcap pairs? I could not see from the output. There are a number of errors - but those could be for a valid reason - keyword not implement for example.

pevma avatar Oct 15 '15 12:10 pevma

Nothing is written unfortunately. I'm going to try on a windows host next, I'll let you know how that goes. And in a security "best practice" I was running as root ;)

richrumble avatar Oct 15 '15 13:10 richrumble

You can have a look in the "failed/good" streams folders.

pevma avatar Oct 15 '15 13:10 pevma

Readme.txt is all that are in those... Same for windows... nothing written. There are more errors on windows too, I can make another issue for that if you wanted to support that :(

richrumble avatar Oct 15 '15 18:10 richrumble

If I constrain the rules that will build, I can create pcap's on each win/linux.

richrumble avatar Oct 15 '15 19:10 richrumble

Ok. Can you pinpoint which rule is causing that? One more question - what do you mean by "each win/linux" ?

pevma avatar Oct 16 '15 15:10 pevma

I've got it working on windows and linux (py27), I've not narrowed it down to a specific rule yet, just the 3174 rules that do work. I'll try the inverse soon.

richrumble avatar Oct 17 '15 00:10 richrumble