[Oisf-devel] Suricata's Limitation?
Victor Julien
victor at inliniac.net
Tue Jul 30 15:31:09 UTC 2013
On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
> Hi everyone,
>
> Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
> $number$ using wireshark.
>
> When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
> a rule), it produces sometimes different, but little less than or equal
> to the actual 50 matches.
>
> I mean for the first time it triggers 45 alerts, and different next
> time. It misses some matches! This pattern can be reproduced in
> different cases such as threshold rule, etc. Each time with the same
> rule and same pcap, I get different match or sometime same number of match.
How are you starting Suricata? I get predicable results every time.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list