<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On 14 Mar 2017, at 18:03, <a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a> wrote:<br><br></div><blockquote type="cite"><div><div style="font-family: Verdana;font-size: 12.0px;"><div>> /opt/suricata/bin/suricata -V<br>
This is Suricata version 3.2beta1 RELEASE<br>
 </div>

<div>/opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml -k none -r $PCAP -S $FILE</div>

<div> </div>

<div>I've  been testing out Suricata for a little bit now and I've noticed some inconsistent results from alerts in the fast.log file.  When I read in a pcap using -r I end up with a total alert count of 68-72 alerts in the file.  I have been using the same PCAP file and same rules duing each test.  I pulled some information from the stats.log file and noticed along with the detect.alert changing, some of the other values changed.  I would think that reading in a PCAP would result in the same information each time.  Is this typical, an error, or just some kind of misconfiguration in the suricata.yaml fille.</div>

<div> </div></div></div></blockquote><div><br></div><div>Do you use rules with threshold?</div><br><blockquote type="cite"><div><div style="font-family: Verdana;font-size: 12.0px;">

<div>Also,  I added --simulated-ips to the command line option and on the same PCAP and rules file I end up with 128-132 alerts.  It still varies the same way as before but there's a much greater number of alerts, any ideas?</div>

<div> </div>

<div><br>
Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)</div>

<div>...<br>
detect.alert                               | Total                     | 68</div>

<div>...</div>

<div>app_layer.flow.http                    | Total                     | 62<br>
...</div>

<div>flow.spare                                 | Total                     | 9996<br>
flow_mgr.flows_checked             | Total                     | 23<br>
flow_mgr.flows_notimeout          | Total                     | 23<br>
flow_mgr.rows_checked             | Total                     | 65536<br>
flow_mgr.rows_skipped              | Total                     | 65513<br>
flow_mgr.rows_maxlen               | Total                     | 1<br>
tcp.memuse                               | Total                     | 819200<br>
tcp.reassembly_memuse             | Total                     | 12320544<br>
flow.memuse                              | Total                     | 7175616<br>
 </div>

<div> </div>

<div>Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)<br>
...</div>

<div>detect.alert                               | Total                     | 72<br>
...</div>

<div>app_layer.flow.http                    | Total                     | 64</div>

<div>...</div>

<div>flow.spare                                 | Total                     | 9995<br>
flow_mgr.flows_checked             | Total                     | 19<br>
flow_mgr.flows_notimeout           | Total                     | 19<br>
flow_mgr.rows_checked               | Total                     | 65536<br>
flow_mgr.rows_skipped                | Total                     | 65517<br>
flow_mgr.rows_maxlen                 | Total                     | 1<br>
tcp.memuse                                 | Total                     | 819200<br>
tcp.reassembly_memuse               | Total                     | 12320544<br>
flow.memuse                                | Total                     | 7180056</div>

<div> </div>

<div>Thanks!<br>
 </div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></div></blockquote></body></html>