[Oisf-devel] Suricata's Limitation?

Victor Julien victor at inliniac.net
Tue Jul 30 15:31:09 UTC 2013

On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
> Hi everyone, 
> Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
> $number$ using wireshark. 
> When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
> a rule), it produces sometimes different, but little less than or equal
> to the actual 50 matches. 
> I mean for the first time it triggers 45 alerts, and different next
> time. It misses some matches! This pattern can be reproduced in
> different cases such as threshold rule, etc. Each time with the same
> rule and same pcap, I get different match or sometime same number of match. 

How are you starting Suricata? I get predicable results every time.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list