[Oisf-users] Buffered alert ?

Fri Apr 6 09:02:07 UTC 2012

Thanks for you anwers !
Le 6 avril 2012 10:17, Peter Manev <petermanev at gmail.com> a écrit :

> On 4/6/2012 10:08 AM, Anoop Saldanha wrote:
> > On Fri, Apr 6, 2012 at 1:33 PM, Victor Julien <victor at inliniac.net>
> wrote:
> >> On 04/06/2012 09:59 AM, Michel SABORDE wrote:
> >>> Hello everyone,
> >>>
> >>> I'm facing a strange problem.
> >>> Sometimes alerts are "buffered" and only wrote in fast.log when i stop
> >>> suricata.
> >>> It is painful because to be sure whether or not an alert was triggered,
> >>> i have to restart suricata at each test.
> >>> Did anyone encounter the same problem ?
> >> It's likely because the alert is only triggered when the flow times out.
> >> This can happen when Suricata missed the TCP FIN or RST packets. You can
> >> try to lower the flow timeout settings in your yaml. You should see the
> >> alerts coming in sooner then.
> >>
> >> --
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Coming to think of it, for really long streams, our flow manager can
> > send a pseudo packet every 'x' seconds to trigger raw reassembly and
> > inspection.  This should keep the alerts coming.
> >
> I like the idea.
>
> --
> Regards,
> Peter Manev
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120406/6f5831fa/attachment-0002.html>