[Oisf-users] Fast log delay
Victor Julien
lists at inliniac.net
Mon Apr 8 14:47:37 UTC 2013
On 04/08/2013 04:41 PM, Leonard Jacobs wrote:
> I might be seeing this same issue. But I might be seeing it on Suricata
> 1.4 also.
This is normal in 2 cases:
1. TCP close (FIN/RST) is missed or missing
2. TCP close (FIN/RST) is rejected
In these cases the final inspection is done when the flow times out in
Suricata.
Inspecting such a stream with tcpdump/wireshark may give you some
insight. Also, enabling Suricata's stream-events.rules may tell you why
Suricata rejected a packet, if it did so.
> Jose Paulo <paulo at sistemasolar.com.br> , 4/8/2013 9:34 AM:
>
> Hello all.
>
> I'm getting an estrange behavior.
> I'm utilizing fast.log as output, but the Suricata is flushing the
> log's
> file only after the tcp stream is closed.
> Is there any parameter for this, in suricata.yaml or OS?
>
> OS is Linux and Suricata is 1.4.1 RELEASE.
>
> Thanks in advance.
>
> José Paulo
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list