<div dir="ltr">Try adding --runmode=single to your command line.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 14, 2017 at 3:37 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Mar 14, 2017 at 8:54 PM, <<a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a>> wrote:<br>
><br>
> Do you use rules with threshold?<br>
><br>
</span>> Yes, there are a few rules with thresholds but I'm not sure how that would<br>
> vary the alert count since its the same PCAP being read in each time.<br>
><br>
<br>
It seems related to -<br>
<a href="https://redmine.openinfosecfoundation.org/issues/1772" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/<wbr>issues/1772</a><br>
<br>
(please include the list in your reply :) )<br>
<br>
> Sent: Tuesday, March 14, 2017 at 12:39 PM<br>
> From: "Peter Manev" <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
> To: <a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a><br>
> Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
> Subject: Re: [Oisf-users] Inconsistent results from fast.log file<br>
<div class="HOEnZb"><div class="h5">><br>
><br>
> On 14 Mar 2017, at 18:03, <a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a> wrote:<br>
><br>
><br>
>> /opt/suricata/bin/suricata -V<br>
> This is Suricata version 3.2beta1 RELEASE<br>
><br>
> /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/<wbr>suricata.yaml -k<br>
> none -r $PCAP -S $FILE<br>
><br>
> I've been testing out Suricata for a little bit now and I've noticed some<br>
> inconsistent results from alerts in the fast.log file. When I read in a<br>
> pcap using -r I end up with a total alert count of 68-72 alerts in the file.<br>
> I have been using the same PCAP file and same rules duing each test. I<br>
> pulled some information from the stats.log file and noticed along with the<br>
> detect.alert changing, some of the other values changed. I would think that<br>
> reading in a PCAP would result in the same information each time. Is this<br>
> typical, an error, or just some kind of misconfiguration in the<br>
> suricata.yaml fille.<br>
><br>
><br>
><br>
> Do you use rules with threshold?<br>
><br>
><br>
> Also, I added --simulated-ips to the command line option and on the same<br>
> PCAP and rules file I end up with 128-132 alerts. It still varies the same<br>
> way as before but there's a much greater number of alerts, any ideas?<br>
><br>
><br>
> Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)<br>
> ...<br>
> detect.alert | Total | 68<br>
> ...<br>
> app_layer.flow.http | Total | 62<br>
> ...<br>
> flow.spare | Total |<br>
> 9996<br>
> flow_mgr.flows_checked | Total | 23<br>
> flow_mgr.flows_notimeout | Total | 23<br>
> flow_mgr.rows_checked | Total | 65536<br>
> flow_mgr.rows_skipped | Total | 65513<br>
> flow_mgr.rows_maxlen | Total | 1<br>
> tcp.memuse | Total |<br>
> 819200<br>
> tcp.reassembly_memuse | Total | 12320544<br>
> flow.memuse | Total |<br>
> 7175616<br>
><br>
><br>
> Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)<br>
> ...<br>
> detect.alert | Total | 72<br>
> ...<br>
> app_layer.flow.http | Total | 64<br>
> ...<br>
> flow.spare | Total |<br>
> 9995<br>
> flow_mgr.flows_checked | Total | 19<br>
> flow_mgr.flows_notimeout | Total | 19<br>
> flow_mgr.rows_checked | Total | 65536<br>
> flow_mgr.rows_skipped | Total | 65517<br>
> flow_mgr.rows_maxlen | Total | 1<br>
> tcp.memuse | Total |<br>
> 819200<br>
> tcp.reassembly_memuse | Total | 12320544<br>
> flow.memuse | Total |<br>
> 7180056<br>
><br>
> Thanks!<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br></div>