
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Looks like there is a limit of 15 alerts per packet.  From

<a class="moz-txt-link-freetext" href="https://github.com/OISF/suricata/blob/700eebaeccb94bdd0ad6a22466c0026afed6c4df/src/decode.h#L291">https://github.com/OISF/suricata/blob/700eebaeccb94bdd0ad6a22466c0026afed6c4df/src/decode.h#L291</a>

      :</p>

    <pre>#<span class="pl-k">define</span> <span class="pl-en">PACKET_ALERT_MAX</span> <span class="pl-c1">15</span></pre>

    <p><span class="pl-en">You could try increasing this and

        recompiling.<br>

      </span></p>

    <p><span class="pl-en">-David</span></p>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">On 1/9/20 2:33 AM, Lucas Augusto Mota

      de Alcantara wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAGbMLi4XBSX0XKspbOFroMvm-D_v+wH3aWAwk4PzBytP9wHb0Q@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div>Hello everyone,</div>

        <div><br>

        </div>

        <div>I'm testing some rules and I want to count how many times

          each rule matches for a certain pcap file, but I noticed that

          suricata is alerting for only the first few rules of the rule

          file.<br>

        </div>

        <div><br>

        </div>

        For example, in the attached files I have a .rules file with

        thousands of rules and a .pcap file with 4 packets. Most rules

        in that file should alert all 4 times, and some should still

        alert at least 1 time.<br>

        <br>

        The  problem is that when I check the fast.log for the alerts,

        only 60 alerts are being logged (the first 15 rules that alert

        once for each packet). Is there a reason why suricata is only

        logging those first few alerts? And is there a way to make sure

        suricata alerts every time it should alert?<br>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>


Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>

Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>

    </blockquote>

  </body>

</html>