<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1456497704886_9711">Hello Andreas,</div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711">Thanks for replying. </div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr">>How do you run suricata? And can you describe what you expected or what you want to achieve?</div><div id="yui_3_16_0_1_1456497704886_9711">I am running it on a non root user with -c, -r, -l flags to point to my yaml, pcap, and log directory, and pointing output to a file "> suricata_run 2>$1".</div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr">I am comparing it and snort so I am trying to figure out why suricata would alert a different number of times when digesting the same traffic. </div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr">>Might be worth to test 3.0 :)</div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr">I have just started using Suricata 3.0! The new output options are great. Sadly I still got the same issue with alert counts. </div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711">>Such big pcaps are rather hard to debug/send. Can you narrow down "strange" behaviour to smaller pcaps that you can also share with us?</div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr"><br></div><div id="yui_3_16_0_1_1456497704886_9711" dir="ltr">I have extracted a smaller pcap with the ip causing the 12037 alert and also get inconsistent counts on 2101633 so it's a good small sample, and I am working on whether I can share it or not. But it may not be necessary. Looking through the yaml more closely I found a setting in the stream section that refers to the inconsistent alerting.</div><div id="yiv8972749073yui_3_16_0_1_1456497704886_2823" class=""><br clear="none" id="yui_3_16_0_1_1456497704886_10667" class=""></div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840"># randomize-chunk-size: yes # Take a random value for chunk size around the specified value.</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840"># # This lower the risk of some evasion technics but could lead</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"># # detection change between runs. It is set to 'yes' by default.</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"><br></div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr">I set this to 'no' and am getting consistent detection on this smaller pcap, without 12037 showing up. I will test it out on the larger ones today. </div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr">But stemming from the yaml comments above, what evasion techniques are being thwarted by taking random chunks sizes while inspecting the raw stream? </div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"><br></div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"><br></div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr">Thank you for your help,</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr">Derek</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"><br></div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr">(Hopefully I replied to this one thread out of the email digest by replacing the subject line with the original. Please correct me if I did not.)</div><div class="" id="yiv8972749073yui_3_16_0_1_1456497704886_2840" dir="ltr"><br></div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div id="yui_3_16_0_1_1456497704886_9711"><br></div><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_1_1456497704886_9735" style="display: block;"><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1456497704886_9734"><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1456497704886_9733"><div class="y_msg_container" id="yui_3_16_0_1_1456497704886_9732">----------------------------------------------------------------------<br><br>Message: 1<br>Date: Mon, 22 Feb 2016 22:20:46 +0100<br>From: Andreas Herz <<a ymailto="mailto:andi@geekosphere.org" href="mailto:andi@geekosphere.org" id="yui_3_16_0_1_1456497704886_10038">andi@geekosphere.org</a>><br>To: <a ymailto="mailto:oisf-users@lists.openinfosecfoundation.org" href="mailto:oisf-users@lists.openinfosecfoundation.org" id="yui_3_16_0_1_1456497704886_10039">oisf-users@lists.openinfosecfoundation.org</a><br>Subject: Re: [Oisf-users] Inconsistent Alerting<br>Message-ID: <<a ymailto="mailto:20160222212046.GP4767@kvmbude" href="mailto:20160222212046.GP4767@kvmbude" id="yui_3_16_0_1_1456497704886_9849">20160222212046.GP4767@kvmbude</a>><br>Content-Type: text/plain; charset=utf-8<br><br>Hi,<br><br>On 22/02/16 at 16:29, <a ymailto="mailto:derek_smithg@yahoo.com" href="mailto:derek_smithg@yahoo.com" id="yui_3_16_0_1_1456497704886_10077">derek_smithg@yahoo.com</a> wrote:<br>> I have been running Suricata against several pcaps withdifferent<br>> yaml configurations and am seeing the total count of alerts changefrom<br>> one run to another, or even with the same yaml but run at a<br>> differenttime. Has anyone come across anything similar before?<br><br>How do you run suricata?<br><br>And can you describe what you expected or what you want to achieve?<br id="yui_3_16_0_1_1456497704886_11874"><br>> Suricata-2.0.11<br><br>Might be worth to test 3.0 :)<br id="yui_3_16_0_1_1456497704886_11546"><br>> I ran them against 3 pcaps of sizes roughly 100GB, 200GB, and400GB,<br>> and tallied the alert counts, outputting any that were not the same<br>> acrossthe board. <br><br>Such big pcaps are rather hard to debug/send. Can you narrow down<br>"strange" behaviour to smaller pcaps that you can also share with us?<br id="yui_3_16_0_1_1456497704886_11647"><br>> This may be a different issue, but I have looked into 12037,which is<br>> very similar to 2101633 but with added replace and byte_test<br>> keywords,and think it might be a false positive. From carving out the<br>> ip’s involved withit from the pcap and running Suricata on that alone<br>> it hits that one alertabout 50% of the time. I ran it once with<br>> alert-debug output and found thepacket it’s supposedly alerting on and<br>> cannot find the byte pattern that wouldmatch to it. <br><br>It would also be helpful to narrow this down to a smaller pcap with that<br>we can also inform the ET guys if it's really a false positive.<br id="yui_3_16_0_1_1456497704886_9789"><br><br>-- <br>Andreas Herz<br><br><br></div> </div> </div> </div></div></body></html>