<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On 14 Mar 2017, at 18:03, <a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a> wrote:<br><br></div><blockquote type="cite"><div><div style="font-family: Verdana;font-size: 12.0px;"><div>> /opt/suricata/bin/suricata -V<br>
This is Suricata version 3.2beta1 RELEASE<br>
</div>
<div>/opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml -k none -r $PCAP -S $FILE</div>
<div> </div>
<div>I've been testing out Suricata for a little bit now and I've noticed some inconsistent results from alerts in the fast.log file. When I read in a pcap using -r I end up with a total alert count of 68-72 alerts in the file. I have been using the same PCAP file and same rules duing each test. I pulled some information from the stats.log file and noticed along with the detect.alert changing, some of the other values changed. I would think that reading in a PCAP would result in the same information each time. Is this typical, an error, or just some kind of misconfiguration in the suricata.yaml fille.</div>
<div> </div></div></div></blockquote><div><br></div><div>Do you use rules with threshold?</div><br><blockquote type="cite"><div><div style="font-family: Verdana;font-size: 12.0px;">
<div>Also, I added --simulated-ips to the command line option and on the same PCAP and rules file I end up with 128-132 alerts. It still varies the same way as before but there's a much greater number of alerts, any ideas?</div>
<div> </div>
<div><br>
Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)</div>
<div>...<br>
detect.alert | Total | 68</div>
<div>...</div>
<div>app_layer.flow.http | Total | 62<br>
...</div>
<div>flow.spare | Total | 9996<br>
flow_mgr.flows_checked | Total | 23<br>
flow_mgr.flows_notimeout | Total | 23<br>
flow_mgr.rows_checked | Total | 65536<br>
flow_mgr.rows_skipped | Total | 65513<br>
flow_mgr.rows_maxlen | Total | 1<br>
tcp.memuse | Total | 819200<br>
tcp.reassembly_memuse | Total | 12320544<br>
flow.memuse | Total | 7175616<br>
</div>
<div> </div>
<div>Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)<br>
...</div>
<div>detect.alert | Total | 72<br>
...</div>
<div>app_layer.flow.http | Total | 64</div>
<div>...</div>
<div>flow.spare | Total | 9995<br>
flow_mgr.flows_checked | Total | 19<br>
flow_mgr.flows_notimeout | Total | 19<br>
flow_mgr.rows_checked | Total | 65536<br>
flow_mgr.rows_skipped | Total | 65517<br>
flow_mgr.rows_maxlen | Total | 1<br>
tcp.memuse | Total | 819200<br>
tcp.reassembly_memuse | Total | 12320544<br>
flow.memuse | Total | 7180056</div>
<div> </div>
<div>Thanks!<br>
</div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></div></blockquote></body></html>