[Oisf-devel] Oisf-devel Digest, Vol 43, Issue 36
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Jul 31 13:12:57 UTC 2013
On Wed, Jul 31, 2013 at 6:26 PM, Prabhakaran Kasinathan
<prabhakaran1989 at gmail.com> wrote:
> On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
>>
>> > Hi everyone,
>> >
>> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
>> > $number$ using wireshark.
>> >
>> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
>> > a rule), it produces sometimes different, but little less than or equal
>> > to the actual 50 matches.
>> >
>> > I mean for the first time it triggers 45 alerts, and different next
>> > time. It misses some matches! This pattern can be reproduced in
>> > different cases such as threshold rule, etc. Each time with the same
>> > rule and same pcap, I get different match or sometime same number of
>> > match.
>>
>> How are you starting Suricata? I get predicable results every time.
>>
> I found that, when the pcap size is less, Suricata predicts the exact
> numbers.But, if the pcap is little larger, it has an impact in the accuracy.
>
> After make, I start suricata like this..
> sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng
>
My reply from the other mail -
"Do you see it with non threshold/event rules as well? If it is with
threshold/event rules it is possible to get different alerts based on
timing."
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list