[Oisf-users] Buffered alert ?
Victor Julien
victor at inliniac.net
Fri Apr 6 08:03:45 UTC 2012
On 04/06/2012 09:59 AM, Michel SABORDE wrote:
> Hello everyone,
>
> I'm facing a strange problem.
> Sometimes alerts are "buffered" and only wrote in fast.log when i stop
> suricata.
> It is painful because to be sure whether or not an alert was triggered,
> i have to restart suricata at each test.
> Did anyone encounter the same problem ?
It's likely because the alert is only triggered when the flow times out.
This can happen when Suricata missed the TCP FIN or RST packets. You can
try to lower the flow timeout settings in your yaml. You should see the
alerts coming in sooner then.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list