[Oisf-devel] Suricata's Limitation? (Peter Manev) (Anoop)
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Jul 31 14:33:11 UTC 2013
On Wed, Jul 31, 2013 at 7:37 PM, Prabhakaran Kasinathan
<prabhakaran1989 at gmail.com> wrote:
>> Message: 4
>> Date: Tue, 30 Jul 2013 16:26:03 +0100
>> From: Peter Manev <petermanev at gmail.com>
>> To: Prabhakaran Kasinathan <prabhakaran1989 at gmail.com>
>> Cc: suricata Mail List <oisf-devel at openinfosecfoundation.org>
>> Subject: Re: [Oisf-devel] Suricata's Limitation?
>> Message-ID: <C89727F7-CA05-42CC-AD59-E8AB2313D316 at gmail.com>
>> Content-Type: text/plain; charset=us-ascii
>>
>>
>>
>> On 30 jul 2013, at 15:47, Prabhakaran Kasinathan
>> <prabhakaran1989 at gmail.com> wrote:
>>
>> > Hi everyone,
>> >
>> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
>> > $number$ using wireshark.
>> >
>> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ ( in
>> > a rule), it produces sometimes different, but little less than or equal to
>> > the actual 50 matches.
>> >
>> > I mean for the first time it triggers 45 alerts, and different next
>> > time. It misses some matches! This pattern can be reproduced in different
>> > cases such as threshold rule, etc. Each time with the same rule and same
>> > pcap, I get different match or sometime same number of match.
>>
>> What if you try to lower the inspection chunk size in suricata.yaml(also
>> disable chksum checking and use "--runmode=single") ?
>>
>>
>
> It worked! "--runmode single", I tried to run the matching several times and
> presented the results below
>
> Conditions:
> Runmode = Normal
>
> Wireshark: 46 Displayed ( matched)
> Suricata attempts : matches
>
> 43
> 44
> 43
> 45
> 43
>
> Runmode= single
> $$# sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng --runmode
> single
> Wireshark: 46 Displayed ( matched)
>
> 46
> 46
> 46
> ...working!!
>
>
>>
>> >
>> > Is this a limitation of all NIDSs?
>> > --
>> > Best Regards,
>> > Prabhakaran Kasinathan
>
>
> On Wed, Jul 31, 2013 at 3:12 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> On Wed, Jul 31, 2013 at 6:26 PM, Prabhakaran Kasinathan
>> <prabhakaran1989 at gmail.com> wrote:
>> > On 07/30/2013 04:47 PM, Prabhakaran Kasinathan wrote:
>> >>
>> >> > Hi everyone,
>> >> >
>> >> > Let's consider that we have a pcap file with 50 matches of ICMP_SEQ:
>> >> > $number$ using wireshark.
>> >> >
>> >> > When we use suricata using the same pcap to match ICMP_SEQ:$number$ (
>> >> > in
>> >> > a rule), it produces sometimes different, but little less than or
>> >> > equal
>> >> > to the actual 50 matches.
>> >> >
>> >> > I mean for the first time it triggers 45 alerts, and different next
>> >> > time. It misses some matches! This pattern can be reproduced in
>> >> > different cases such as threshold rule, etc. Each time with the same
>> >> > rule and same pcap, I get different match or sometime same number of
>> >> > match.
>> >>
>> >> How are you starting Suricata? I get predicable results every time.
>> >>
>> > I found that, when the pcap size is less, Suricata predicts the exact
>> > numbers.But, if the pcap is little larger, it has an impact in the
>> > accuracy.
>> >
>> > After make, I start suricata like this..
>> > sudo ./src/.libs/suricata -c suricata.yaml -r test00.pcapng
>> >
>>
>> My reply from the other mail -
>>
>> "Do you see it with non threshold/event rules as well? If it is with
>> threshold/event rules it is possible to get different alerts based on
>> timing."
>>
> yes! for Non-Threshold/events also it gives different number of alerts! But
> as described above, if I run suricata in "single" runmode, i.e. Single
> threaded! It gives predictable results.
>
> Thank you!. What could be the fix for this problem ??
> --
For non event rules it shouldn't give different alerts for default
mode. Can you open a bug and share your pcap?
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list