[Oisf-devel] Oisf-devel Digest, Vol 43, Issue 36
Prabhakaran Kasinathan
prabhakaran1989 at gmail.com
Wed Jul 31 12:56:30 UTC 2013
On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
> > Hi everyone,
> >
> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
> > $number$ using wireshark.
> >
> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
> > a rule), it produces sometimes different, but little less than or equal
> > to the actual 50 matches.
> >
> > I mean for the first time it triggers 45 alerts, and different next
> > time. It misses some matches! This pattern can be reproduced in
> > different cases such as threshold rule, etc. Each time with the same
> > rule and same pcap, I get different match or sometime same number of
> match.
>
> How are you starting Suricata? I get predicable results every time.
>
> I found that, when the pcap size is less, Suricata predicts the exact
numbers.But, if the pcap is little larger, it has an impact in the
accuracy.
After make, I start suricata like this..
sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng
--
Best Regards,
Prabhakaran Kasinathan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130731/d9855351/attachment.html>
More information about the Oisf-devel
mailing list