[Oisf-users] Buffered alert ?
Peter Manev
petermanev at gmail.com
Fri Apr 6 08:17:21 UTC 2012
On 4/6/2012 10:08 AM, Anoop Saldanha wrote:
> On Fri, Apr 6, 2012 at 1:33 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 04/06/2012 09:59 AM, Michel SABORDE wrote:
>>> Hello everyone,
>>>
>>> I'm facing a strange problem.
>>> Sometimes alerts are "buffered" and only wrote in fast.log when i stop
>>> suricata.
>>> It is painful because to be sure whether or not an alert was triggered,
>>> i have to restart suricata at each test.
>>> Did anyone encounter the same problem ?
>> It's likely because the alert is only triggered when the flow times out.
>> This can happen when Suricata missed the TCP FIN or RST packets. You can
>> try to lower the flow timeout settings in your yaml. You should see the
>> alerts coming in sooner then.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Coming to think of it, for really long streams, our flow manager can
> send a pseudo packet every 'x' seconds to trigger raw reassembly and
> inspection. This should keep the alerts coming.
>
I like the idea.
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list