[Oisf-users] Suricata not detecting app-layers

Tue Dec 23 15:59:58 UTC 2014

On 12/23/2014 04:51 PM, Joris Roefs l Onsight Solutions BV wrote:
>> Can you record a part of the traffic and inspect it with tcpdump or wireshark to see if the span port really sends you all the packets?
> 
> Tcpdump tells me all is well, but I have to say I'm not fluent in tcpdump. I'd really like to reassemble a file from a packet dump, to be sure...
> 

> detect.alert              | Detect                    | 36725

What kind of alerts are you getting?

> tcp.syn                   | Detect                    | 30868
> tcp.synack                | Detect                    | 13691
> flow_mgr.closed_pruned    | FlowManagerThread         | 13867
> flow_mgr.new_pruned       | FlowManagerThread         | 187930
> flow_mgr.est_pruned       | FlowManagerThread         | 0

Many more SYN's than SYN/ACK's and by far most flows are timed out when
still in state 'new'.

I'm suspecting you may only see on side of the traffic?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------