<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>I added --runmode=single to the command line along with --simulated-ips and still got a little bit of variation but it did seem to be less.  This time I got 128 alerts or 126.  When I removed --simulated-ips then I received a consistent 66 alerts.

<div> 

<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">

<div style="margin:0 0 10px 0;"><b>Sent:</b> Tuesday, March 14, 2017 at 6:13 PM<br/>

<b>From:</b> "Tom DeCanio" <decanio.tom@gmail.com><br/>

<b>To:</b> "Peter Manev" <petermanev@gmail.com><br/>

<b>Cc:</b> secres@linuxmail.org, "oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br/>

<b>Subject:</b> Re: [Oisf-users] Inconsistent results from fast.log file</div>

<div name="quoted-content">

<div>Try adding --runmode=single to your command line.</div>

<div class="gmail_extra"> 

<div class="gmail_quote">On Tue, Mar 14, 2017 at 3:37 PM, Peter Manev <span><<a href="mailto:petermanev@gmail.com" onclick="parent.window.location.href='petermanev@gmail.com'; return false;" target="_blank">petermanev@gmail.com</a>></span> wrote:

<blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;"><span>On Tue, Mar 14, 2017 at 8:54 PM,  <<a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a>> wrote:<br/>

><br/>

> Do you use rules with threshold?<br/>

></span><br/>

> Yes, there are a few rules with thresholds but I'm not sure how that would<br/>

> vary the alert count since its the same PCAP being read in each time.<br/>

><br/>

<br/>

It seems related to -<br/>

<a href="https://redmine.openinfosecfoundation.org/issues/1772" target="_blank">https://redmine.openinfosecfoundation.org/issues/1772</a><br/>

<br/>

(please include the list in your reply :) )<br/>

<br/>

> Sent: Tuesday, March 14, 2017 at 12:39 PM<br/>

> From: "Peter Manev" <<a href="mailto:petermanev@gmail.com" onclick="parent.window.location.href='petermanev@gmail.com'; return false;" target="_blank">petermanev@gmail.com</a>><br/>

> To: <a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a><br/>

> Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@lists.openinfosecfoundation.org'; return false;" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br/>

> Subject: Re: [Oisf-users] Inconsistent results from fast.log file

<div class="HOEnZb">

<div class="h5">><br/>

><br/>

> On 14 Mar 2017, at 18:03, <a href="mailto:secres@linuxmail.org" onclick="parent.window.location.href='secres@linuxmail.org'; return false;" target="_blank">secres@linuxmail.org</a> wrote:<br/>

><br/>

><br/>

>> /opt/suricata/bin/suricata -V<br/>

> This is Suricata version 3.2beta1 RELEASE<br/>

><br/>

> /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml -k<br/>

> none -r $PCAP -S $FILE<br/>

><br/>

> I've  been testing out Suricata for a little bit now and I've noticed some<br/>

> inconsistent results from alerts in the fast.log file.  When I read in a<br/>

> pcap using -r I end up with a total alert count of 68-72 alerts in the file.<br/>

> I have been using the same PCAP file and same rules duing each test.  I<br/>

> pulled some information from the stats.log file and noticed along with the<br/>

> detect.alert changing, some of the other values changed.  I would think that<br/>

> reading in a PCAP would result in the same information each time.  Is this<br/>

> typical, an error, or just some kind of misconfiguration in the<br/>

> suricata.yaml fille.<br/>

><br/>

><br/>

><br/>

> Do you use rules with threshold?<br/>

><br/>

><br/>

> Also,  I added --simulated-ips to the command line option and on the same<br/>

> PCAP and rules file I end up with 128-132 alerts.  It still varies the same<br/>

> way as before but there's a much greater number of alerts, any ideas?<br/>

><br/>

><br/>

> Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)<br/>

> ...<br/>

> detect.alert                               | Total                     | 68<br/>

> ...<br/>

> app_layer.flow.http                    | Total                     | 62<br/>

> ...<br/>

> flow.spare                                 | Total                     |<br/>

> 9996<br/>

> flow_mgr.flows_checked             | Total                     | 23<br/>

> flow_mgr.flows_notimeout          | Total                     | 23<br/>

> flow_mgr.rows_checked             | Total                     | 65536<br/>

> flow_mgr.rows_skipped              | Total                     | 65513<br/>

> flow_mgr.rows_maxlen               | Total                     | 1<br/>

> tcp.memuse                               | Total                     |<br/>

> 819200<br/>

> tcp.reassembly_memuse             | Total                     | 12320544<br/>

> flow.memuse                              | Total                     |<br/>

> 7175616<br/>

><br/>

><br/>

> Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)<br/>

> ...<br/>

> detect.alert                               | Total                     | 72<br/>

> ...<br/>

> app_layer.flow.http                    | Total                     | 64<br/>

> ...<br/>

> flow.spare                                 | Total                     |<br/>

> 9995<br/>

> flow_mgr.flows_checked             | Total                     | 19<br/>

> flow_mgr.flows_notimeout           | Total                     | 19<br/>

> flow_mgr.rows_checked               | Total                     | 65536<br/>

> flow_mgr.rows_skipped                | Total                     | 65517<br/>

> flow_mgr.rows_maxlen                 | Total                     | 1<br/>

> tcp.memuse                                 | Total                     |<br/>

> 819200<br/>

> tcp.reassembly_memuse               | Total                     | 12320544<br/>

> flow.memuse                                | Total                     |<br/>

> 7180056<br/>

><br/>

> Thanks!<br/>

><br/>

><br/>

> _______________________________________________<br/>

> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@openinfosecfoundation.org'; return false;" target="_blank">oisf-users@openinfosecfoundation.org</a><br/>

> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>

> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br/>

<br/>

<br/>

 </div>

</div>

<span class="HOEnZb"><font color="#888888">--<br/>

Regards,<br/>

Peter Manev</font></span>

<div class="HOEnZb">

<div class="h5">_______________________________________________<br/>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" onclick="parent.window.location.href='oisf-users@openinfosecfoundation.org'; return false;" target="_blank">oisf-users@openinfosecfoundation.org</a><br/>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></div>

</div>

</blockquote>

</div>

</div>

</div>

</div>

</div>

</div></div></body></html>