[Oisf-devel] Suricata's Limitation? (Peter Manev) (Anoop)
Prabhakaran Kasinathan
prabhakaran1989 at gmail.com
Wed Jul 31 14:07:15 UTC 2013
>
> Message: 4
> Date: Tue, 30 Jul 2013 16:26:03 +0100
> From: Peter Manev <petermanev at gmail.com>
> To: Prabhakaran Kasinathan <prabhakaran1989 at gmail.com>
> Cc: suricata Mail List <oisf-devel at openinfosecfoundation.org>
> Subject: Re: [Oisf-devel] Suricata's Limitation?
> Message-ID: <C89727F7-CA05-42CC-AD59-E8AB2313D316 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
>
>
> On 30 jul 2013, at 15:47, Prabhakaran Kasinathan <
> prabhakaran1989 at gmail.com> wrote:
>
> > Hi everyone,
> >
> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
> $number$ using wireshark.
> >
> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
> a rule), it produces sometimes different, but little less than or equal to
> the actual 50 matches.
> >
> > I mean for the first time it triggers 45 alerts, and different next
> time. It misses some matches! This pattern can be reproduced in different
> cases such as threshold rule, etc. Each time with the same rule and same
> pcap, I get different match or sometime same number of match.
>
> What if you try to lower the inspection chunk size in suricata.yaml(also
> disable chksum checking and use "--runmode=single") ?
>
>
>
It worked! "--runmode single", I tried to run the matching several times
and presented the results below
Conditions:
Runmode = Normal
Wireshark: 46 Displayed ( matched)
Suricata attempts : matches
1. 43
2. 44
3. 43
4. 45
5. 43
Runmode= single
$$# sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng --runmode
single
Wireshark: 46 Displayed ( matched)
1. 46
2. 46
3. 46
4. ...working!!
> >
> > Is this a limitation of all NIDSs?
> > --
> > Best Regards,
> > Prabhakaran Kasinathan
>
On Wed, Jul 31, 2013 at 3:12 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
wrote:
> On Wed, Jul 31, 2013 at 6:26 PM, Prabhakaran Kasinathan
> <prabhakaran1989 at gmail.com> wrote:
> > On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
> >>
> >> > Hi everyone,
> >> >
> >> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
> >> > $number$ using wireshark.
> >> >
> >> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ (
> in
> >> > a rule), it produces sometimes different, but little less than or
> equal
> >> > to the actual 50 matches.
> >> >
> >> > I mean for the first time it triggers 45 alerts, and different next
> >> > time. It misses some matches! This pattern can be reproduced in
> >> > different cases such as threshold rule, etc. Each time with the same
> >> > rule and same pcap, I get different match or sometime same number of
> >> > match.
> >>
> >> How are you starting Suricata? I get predicable results every time.
> >>
> > I found that, when the pcap size is less, Suricata predicts the exact
> > numbers.But, if the pcap is little larger, it has an impact in the
> accuracy.
> >
> > After make, I start suricata like this..
> > sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng
> >
>
> My reply from the other mail -
>
> "Do you see it with non threshold/event rules as well? If it is with
> threshold/event rules it is possible to get different alerts based on
> timing."
>
> yes! for Non-Threshold/events also it gives different number of alerts!
But as described above, if I run suricata in "single" runmode, i.e. Single
threaded! It gives predictable results.
Thank you!. What could be the fix for this problem ??
--
Best Regards,
Prabha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130731/c3b7b1b5/attachment-0001.html>
More information about the Oisf-devel
mailing list