[Oisf-devel] Help! How can I get alerts when each pcap replaying

xbadou xbadou xbadou at gmail.com
Mon Jul 15 14:25:00 UTC 2013


Hi, Peter

In my test, I find that when I sleep a while (several minutes) between each
replay. Then each replay can cause alerts correctly.

‘Correctly’ at here I means that if each replay cause 50 alerts, N times
replay cause N*50 alerts.


On Mon, Jul 15, 2013 at 10:12 PM, xbadou xbadou <xbadou at gmail.com> wrote:

> Hi
>
> I replay the pcap file which is attached. The pcap file can cause many
> alerts in fast.log, for example 50 alerts. When I replay it for a second
> time, I expected there will be 100 alerts in fast.log but it is still 50.
>
> But when I restart suricata and replay the packet then I can get 100
> alerts.
>
>
> On Mon, Jul 15, 2013 at 9:50 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>> Hi ,
>>
>> >
>> >
>> >
>> > On Mon, Jul 15, 2013 at 8:54 PM, xbadou xbadou <xbadou at gmail.com>
>> wrote:
>> >>
>> >> Hi
>> >>
>> >>
>> >>
>> >> I am using suricata 1.4.2. Today I do a test, but can't get the result
>> I
>> >> want.
>> >>
>>
>> What is the result that you want?
>>
>> >>
>> >>
>> >> I use a computer runing suricata and listen traffic on one interface.
>> On
>> >> the same time, I use the other PC replaying a pcap file on the
>> interface
>> >> which connected to the first PC. The pcap file contain some tcp packet
>> which
>> >> can cause alerts.
>> >>
>> >>
>> >>
>>
>>
>> What are the alerts that you are seeing and what are the alerts that
>> you are expecting?
>>
>>
>>
>> Regards,
>> Peter Manev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130715/400b063e/attachment-0002.html>


More information about the Oisf-devel mailing list