[Oisf-users] Buffered alert ?
Anoop Saldanha
anoopsaldanha at gmail.com
Fri Apr 6 08:08:05 UTC 2012
On Fri, Apr 6, 2012 at 1:33 PM, Victor Julien <victor at inliniac.net> wrote:
> On 04/06/2012 09:59 AM, Michel SABORDE wrote:
>> Hello everyone,
>>
>> I'm facing a strange problem.
>> Sometimes alerts are "buffered" and only wrote in fast.log when i stop
>> suricata.
>> It is painful because to be sure whether or not an alert was triggered,
>> i have to restart suricata at each test.
>> Did anyone encounter the same problem ?
>
> It's likely because the alert is only triggered when the flow times out.
> This can happen when Suricata missed the TCP FIN or RST packets. You can
> try to lower the flow timeout settings in your yaml. You should see the
> alerts coming in sooner then.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Coming to think of it, for really long streams, our flow manager can
send a pseudo packet every 'x' seconds to trigger raw reassembly and
inspection. This should keep the alerts coming.
--
Anoop Saldanha
More information about the Oisf-users
mailing list