<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>I added --runmode=single to the command line along with --simulated-ips and still got a little bit of variation but it did seem to be less. This time I got 128 alerts or 126. When I removed --simulated-ips then I received a consistent 66 alerts.
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Tuesday, March 14, 2017 at 6:13 PM<br/>
<b>From:</b> "Tom DeCanio" <decanio.tom@gmail.com><br/>
<b>To:</b> "Peter Manev" <petermanev@gmail.com><br/>
<b>Cc:</b> secres@linuxmail.org, "oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br/>
<b>Subject:</b> Re: [Oisf-users] Inconsistent results from fast.log file</div>
<div name="quoted-content">
<div>Try adding --runmode=single to your command line.</div>
<div class="gmail_extra">
<div class="gmail_quote">On Tue, Mar 14, 2017 at 3:37 PM, Peter Manev <span><<a href="mailto:petermanev@gmail.com" onclick="parent.window.location.href='petermanev@gmail.com'; return false;" target="_blank">petermanev@gmail.com</a>></span> wrote:
<blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;"><span>On Tue, Mar 14, 2017 at 8:54 PM, <<a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a>> wrote:<br/>
><br/>
> Do you use rules with threshold?<br/>
></span><br/>
> Yes, there are a few rules with thresholds but I'm not sure how that would<br/>
> vary the alert count since its the same PCAP being read in each time.<br/>
><br/>
<br/>
It seems related to -<br/>
<a href="https://redmine.openinfosecfoundation.org/issues/1772" target="_blank">https://redmine.openinfosecfoundation.org/issues/1772</a><br/>
<br/>
(please include the list in your reply :) )<br/>
<br/>
> Sent: Tuesday, March 14, 2017 at 12:39 PM<br/>
> From: "Peter Manev" <<a href="mailto:petermanev@gmail.com" onclick="parent.window.location.href='petermanev@gmail.com'; return false;" target="_blank">petermanev@gmail.com</a>><br/>
> To: <a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a><br/>
> Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@lists.openinfosecfoundation.org'; return false;" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br/>
> Subject: Re: [Oisf-users] Inconsistent results from fast.log file
<div class="HOEnZb">
<div class="h5">><br/>
><br/>
> On 14 Mar 2017, at 18:03, <a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a> wrote:<br/>
><br/>
><br/>
>> /opt/suricata/bin/suricata -V<br/>
> This is Suricata version 3.2beta1 RELEASE<br/>
><br/>
> /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml -k<br/>
> none -r $PCAP -S $FILE<br/>
><br/>
> I've been testing out Suricata for a little bit now and I've noticed some<br/>
> inconsistent results from alerts in the fast.log file. When I read in a<br/>
> pcap using -r I end up with a total alert count of 68-72 alerts in the file.<br/>
> I have been using the same PCAP file and same rules duing each test. I<br/>
> pulled some information from the stats.log file and noticed along with the<br/>
> detect.alert changing, some of the other values changed. I would think that<br/>
> reading in a PCAP would result in the same information each time. Is this<br/>
> typical, an error, or just some kind of misconfiguration in the<br/>
> suricata.yaml fille.<br/>
><br/>
><br/>
><br/>
> Do you use rules with threshold?<br/>
><br/>
><br/>
> Also, I added --simulated-ips to the command line option and on the same<br/>
> PCAP and rules file I end up with 128-132 alerts. It still varies the same<br/>
> way as before but there's a much greater number of alerts, any ideas?<br/>
><br/>
><br/>
> Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)<br/>
> ...<br/>
> detect.alert | Total | 68<br/>
> ...<br/>
> app_layer.flow.http | Total | 62<br/>
> ...<br/>
> flow.spare | Total |<br/>
> 9996<br/>
> flow_mgr.flows_checked | Total | 23<br/>
> flow_mgr.flows_notimeout | Total | 23<br/>
> flow_mgr.rows_checked | Total | 65536<br/>
> flow_mgr.rows_skipped | Total | 65513<br/>
> flow_mgr.rows_maxlen | Total | 1<br/>
> tcp.memuse | Total |<br/>
> 819200<br/>
> tcp.reassembly_memuse | Total | 12320544<br/>
> flow.memuse | Total |<br/>
> 7175616<br/>
><br/>
><br/>
> Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)<br/>
> ...<br/>
> detect.alert | Total | 72<br/>
> ...<br/>
> app_layer.flow.http | Total | 64<br/>
> ...<br/>
> flow.spare | Total |<br/>
> 9995<br/>
> flow_mgr.flows_checked | Total | 19<br/>
> flow_mgr.flows_notimeout | Total | 19<br/>
> flow_mgr.rows_checked | Total | 65536<br/>
> flow_mgr.rows_skipped | Total | 65517<br/>
> flow_mgr.rows_maxlen | Total | 1<br/>
> tcp.memuse | Total |<br/>
> 819200<br/>
> tcp.reassembly_memuse | Total | 12320544<br/>
> flow.memuse | Total |<br/>
> 7180056<br/>
><br/>
> Thanks!<br/>
><br/>
><br/>
> _______________________________________________<br/>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@openinfosecfoundation.org'; return false;" target="_blank">oisf-users@openinfosecfoundation.org</a><br/>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br/>
<br/>
<br/>
</div>
</div>
<span class="HOEnZb"><font color="#888888">--<br/>
Regards,<br/>
Peter Manev</font></span>
<div class="HOEnZb">
<div class="h5">_______________________________________________<br/>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@openinfosecfoundation.org'; return false;" target="_blank">oisf-users@openinfosecfoundation.org</a><br/>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div></div></body></html>