[Oisf-devel] Help! How can I get alerts when each pcap replaying

Anoop Saldanha anoopsaldanha at gmail.com
Mon Jul 15 15:01:23 UTC 2013 

You are reusing the same old flows if you resend the pcap instantly.
The wait gets you the desired result since by then the old flows are
culled.

Modify flow-timeouts.tcp.[new|established|closed] to a smaller
value(but not small enough that the flow's culled before all packets
are seen from the flow on a single run) and see if that solves it for
you.

On Mon, Jul 15, 2013 at 7:55 PM, xbadou xbadou <xbadou at gmail.com> wrote:
> Hi, Peter
>
> In my test, I find that when I sleep a while (several minutes) between each
> replay. Then each replay can cause alerts correctly.
>
> ‘Correctly’ at here I means that if each replay cause 50 alerts, N times
> replay cause N*50 alerts.
>
>
>
> On Mon, Jul 15, 2013 at 10:12 PM, xbadou xbadou <xbadou at gmail.com> wrote:
>>
>> Hi
>>
>> I replay the pcap file which is attached. The pcap file can cause many
>> alerts in fast.log, for example 50 alerts. When I replay it for a second
>> time, I expected there will be 100 alerts in fast.log but it is still 50.
>>
>> But when I restart suricata and replay the packet then I can get 100
>> alerts.
>>
>>
>>
>> On Mon, Jul 15, 2013 at 9:50 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>> Hi ,
>>>
>>> >
>>> >
>>> >
>>> > On Mon, Jul 15, 2013 at 8:54 PM, xbadou xbadou <xbadou at gmail.com>
>>> > wrote:
>>> >>
>>> >> Hi
>>> >>
>>> >>
>>> >>
>>> >> I am using suricata 1.4.2. Today I do a test, but can't get the result
>>> >> I
>>> >> want.
>>> >>
>>>
>>> What is the result that you want?
>>>
>>> >>
>>> >>
>>> >> I use a computer runing suricata and listen traffic on one interface.
>>> >> On
>>> >> the same time, I use the other PC replaying a pcap file on the
>>> >> interface
>>> >> which connected to the first PC. The pcap file contain some tcp packet
>>> >> which
>>> >> can cause alerts.
>>> >>
>>> >>
>>> >>
>>>
>>>
>>> What are the alerts that you are seeing and what are the alerts that
>>> you are expecting?
>>>
>>>
>>>
>>> Regards,
>>> Peter Manev
>>
>>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-devel mailing list