[Oisf-devel] Suricata's Limitation?
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Jul 30 16:16:54 UTC 2013
Prabhakaran,
On Tue, Jul 30, 2013 at 9:15 PM, Peter Manev <petermanev at gmail.com> wrote:
>
> On 30 jul 2013, at 16:32, Victor Julien <victor at inliniac.net> wrote:
>
>> On 07/30/2013 05:26 PM, Peter Manev wrote:
>>>
>>>
>>> On 30 jul 2013, at 15:47, Prabhakaran Kasinathan <prabhakaran1989 at gmail.com> wrote:
>>>
>>>> Hi everyone,
>>>>
>>>> Let's consider that we have a pcap file with 50 matches of ICMP_SEQ: $number$ using wireshark.
>>>>
>>>> When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in a rule), it produces sometimes different, but little less than or equal to the actual 50 matches.
>>>>
>>>> I mean for the first time it triggers 45 alerts, and different next time. It misses some matches! This pattern can be reproduced in different cases such as threshold rule, etc. Each time with the same rule and same pcap, I get different match or sometime same number of match.
>>>
>>> What if you try to lower the inspection chunk size in suricata.yaml(also disable chksum checking and use "--runmode=single") ?
>>
>> Inspection chunks sizes are for TCP reassembly and have nothing to do
>> with rules inspecting icmp sequence numbers.
>
> Yes indeed - my bad , got carried away.
>
Do you see it with non threshold/event rules as well? If it is with
threshold/event rules it is possible to get different alerts based on
timing.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list