[Oisf-devel] Help! How can I get alerts when each pcap replaying
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Jul 16 07:58:53 UTC 2013
On Tue, Jul 16, 2013 at 10:22 AM, xbadou xbadou <xbadou at gmail.com> wrote:
> Hi,
>
> In this way, if I resend the pcap instantly, the packets may go to the
> server which suricata protected.
> Is that a new method to bypass the suricata?
Nope, it isn't. The machines you protect have similar timeouts and
would mirror suricata's treatment of freshly injected packets.
>
> How can I change some source code, whenever a SYN packets comes, we cull the
> old flow and create a new flow ?
> Thanks.
>
>
> On Mon, Jul 15, 2013 at 11:01 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> You are reusing the same old flows if you resend the pcap instantly.
>> The wait gets you the desired result since by then the old flows are
>> culled.
>>
>> Modify flow-timeouts.tcp.[new|established|closed] to a smaller
>> value(but not small enough that the flow's culled before all packets
>> are seen from the flow on a single run) and see if that solves it for
>> you.
>>
>> On Mon, Jul 15, 2013 at 7:55 PM, xbadou xbadou <xbadou at gmail.com> wrote:
>> > Hi, Peter
>> >
>> > In my test, I find that when I sleep a while (several minutes) between
>> > each
>> > replay. Then each replay can cause alerts correctly.
>> >
>> > ‘Correctly’ at here I means that if each replay cause 50 alerts, N times
>> > replay cause N*50 alerts.
>> >
>> >
>> >
>> > On Mon, Jul 15, 2013 at 10:12 PM, xbadou xbadou <xbadou at gmail.com>
>> > wrote:
>> >>
>> >> Hi
>> >>
>> >> I replay the pcap file which is attached. The pcap file can cause many
>> >> alerts in fast.log, for example 50 alerts. When I replay it for a
>> >> second
>> >> time, I expected there will be 100 alerts in fast.log but it is still
>> >> 50.
>> >>
>> >> But when I restart suricata and replay the packet then I can get 100
>> >> alerts.
>> >>
>> >>
>> >>
>> >> On Mon, Jul 15, 2013 at 9:50 PM, Peter Manev <petermanev at gmail.com>
>> >> wrote:
>> >>>
>> >>> Hi ,
>> >>>
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Mon, Jul 15, 2013 at 8:54 PM, xbadou xbadou <xbadou at gmail.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> Hi
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> I am using suricata 1.4.2. Today I do a test, but can't get the
>> >>> >> result
>> >>> >> I
>> >>> >> want.
>> >>> >>
>> >>>
>> >>> What is the result that you want?
>> >>>
>> >>> >>
>> >>> >>
>> >>> >> I use a computer runing suricata and listen traffic on one
>> >>> >> interface.
>> >>> >> On
>> >>> >> the same time, I use the other PC replaying a pcap file on the
>> >>> >> interface
>> >>> >> which connected to the first PC. The pcap file contain some tcp
>> >>> >> packet
>> >>> >> which
>> >>> >> can cause alerts.
>> >>> >>
>> >>> >>
>> >>> >>
>> >>>
>> >>>
>> >>> What are the alerts that you are seeing and what are the alerts that
>> >>> you are expecting?
>> >>>
>> >>>
>> >>>
>> >>> Regards,
>> >>> Peter Manev
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Participate:
>> > http://suricata-ids.org/participate/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> > Redmine: https://redmine.openinfosecfoundation.org/
>>
>>
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>
>
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list