[Oisf-users] Fast log delay
Jose Paulo
paulo at sistemasolar.com.br
Mon Apr 8 15:18:03 UTC 2013
Thank you Victor Julien for your feedback.
Sorry, may be I didn't was clear.
The fast.log is flushed just after the tcp stream closing, so suricata
is not missing/rejecting the TCP close (FIN/RST).
The problem is that the alert at fast.log is not appearing at the time
it's occurs. It's delayed until the stream is closed.
José Paulo
Le 08/04/2013 11:47, Victor Julien a écrit :
> On 04/08/2013 04:41 PM, Leonard Jacobs wrote:
>> I might be seeing this same issue. But I might be seeing it on Suricata
>> 1.4 also.
> This is normal in 2 cases:
>
> 1. TCP close (FIN/RST) is missed or missing
> 2. TCP close (FIN/RST) is rejected
>
> In these cases the final inspection is done when the flow times out in
> Suricata.
>
> Inspecting such a stream with tcpdump/wireshark may give you some
> insight. Also, enabling Suricata's stream-events.rules may tell you why
> Suricata rejected a packet, if it did so.
>
>> Jose Paulo <paulo at sistemasolar.com.br> , 4/8/2013 9:34 AM:
>>
>> Hello all.
>>
>> I'm getting an estrange behavior.
>> I'm utilizing fast.log as output, but the Suricata is flushing the
>> log's
>> file only after the tcp stream is closed.
>> Is there any parameter for this, in suricata.yaml or OS?
>>
>> OS is Linux and Suricata is 1.4.1 RELEASE.
>>
>> Thanks in advance.
>>
>> José Paulo
>
More information about the Oisf-users
mailing list