[Oisf-devel] Help! How can I get alerts when each pcap replaying

xbadou xbadou xbadou at gmail.com
Tue Jul 16 04:52:49 UTC 2013


Hi,

In this way, if I resend the pcap instantly, the packets may go to the
server which suricata protected.
Is that a new method to bypass the suricata?

How can I change some source code, whenever a SYN packets comes, we cull
the old flow and create a new flow ?
Thanks.


On Mon, Jul 15, 2013 at 11:01 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> You are reusing the same old flows if you resend the pcap instantly.
> The wait gets you the desired result since by then the old flows are
> culled.
>
> Modify flow-timeouts.tcp.[new|established|closed] to a smaller
> value(but not small enough that the flow's culled before all packets
> are seen from the flow on a single run) and see if that solves it for
> you.
>
> On Mon, Jul 15, 2013 at 7:55 PM, xbadou xbadou <xbadou at gmail.com> wrote:
> > Hi, Peter
> >
> > In my test, I find that when I sleep a while (several minutes) between
> each
> > replay. Then each replay can cause alerts correctly.
> >
> > ‘Correctly’ at here I means that if each replay cause 50 alerts, N times
> > replay cause N*50 alerts.
> >
> >
> >
> > On Mon, Jul 15, 2013 at 10:12 PM, xbadou xbadou <xbadou at gmail.com>
> wrote:
> >>
> >> Hi
> >>
> >> I replay the pcap file which is attached. The pcap file can cause many
> >> alerts in fast.log, for example 50 alerts. When I replay it for a second
> >> time, I expected there will be 100 alerts in fast.log but it is still
> 50.
> >>
> >> But when I restart suricata and replay the packet then I can get 100
> >> alerts.
> >>
> >>
> >>
> >> On Mon, Jul 15, 2013 at 9:50 PM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>>
> >>> Hi ,
> >>>
> >>> >
> >>> >
> >>> >
> >>> > On Mon, Jul 15, 2013 at 8:54 PM, xbadou xbadou <xbadou at gmail.com>
> >>> > wrote:
> >>> >>
> >>> >> Hi
> >>> >>
> >>> >>
> >>> >>
> >>> >> I am using suricata 1.4.2. Today I do a test, but can't get the
> result
> >>> >> I
> >>> >> want.
> >>> >>
> >>>
> >>> What is the result that you want?
> >>>
> >>> >>
> >>> >>
> >>> >> I use a computer runing suricata and listen traffic on one
> interface.
> >>> >> On
> >>> >> the same time, I use the other PC replaying a pcap file on the
> >>> >> interface
> >>> >> which connected to the first PC. The pcap file contain some tcp
> packet
> >>> >> which
> >>> >> can cause alerts.
> >>> >>
> >>> >>
> >>> >>
> >>>
> >>>
> >>> What are the alerts that you are seeing and what are the alerts that
> >>> you are expecting?
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Peter Manev
> >>
> >>
> >
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130716/5d88f5f1/attachment-0002.html>


More information about the Oisf-devel mailing list