mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
e1f9d8a067
Refactor pcap file deletion to use a single delete-when-done option with three values instead of separate boolean options: - false (default): No deletion - true: Always delete files - "non-alerts": Delete only files with no alerts Also account for alerts produced by pseudo packets (flow timeout / shutdown flush): - Introduce small capture hooks and invoke on pseudo-packet creation so the capture layer can retain references and observe alerts emitted after the last live packet - Call the hook from both TmThreadDisableReceiveThreads and TmThreadDrainPacketThreads Key changes: - Replace should_delete/delete_non_alerts_only bools with enum - Move alert counter from global to per-file PcapFileFileVars - Relocate alert counting from PacketAlertFinalize to pcap module - Ensure thread safety for both single and continuous pcap modes - Add unit tests for configuration parsing and pseudo-packet alert path The --pcap-file-delete command line option overrides YAML config and forces "always delete" mode for backward compatibility. Documentation updated to reflect the new three-value configuration. Fixes OISF#7786 |
2 weeks ago | |
|---|---|---|
| .. | ||
| commands-pcap-sc.rst | ||
| commands-sc.rst | 7 months ago | |
| eve-log.yaml | 4 weeks ago | |
| options-unittests.rst | ||
| options.rst | 2 weeks ago | |