[Oisf-users] suri logging all the packets for the session

Russell Fulton r.fulton at auckland.ac.nz
Thu Nov 20 23:19:19 UTC 2014

On 21/11/2014, at 10:18 am, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Signed PGP part
> If I remember correctly, the packet logging is a 'best effort' by
> suricata to write the packets that triggered the alert.
> In the example you gave it's using the SMTP protocol detection feature
> of suricata, so it may be that by the time the flow has been tagged and
> the alert generated some of the packets may have already been flushed.

I think I now have a fair idea about what is going on.  Enlightenment struck with your mention of SMTP and ‘best effort'.

This *IS* expected behaviour and it happens where the detection is made, not by the packet inspection engine, but by one of the protocol analysis units so suri does not actually know which packet the data was in so it dumps the contents of the stream buffer.  And as you point out the critical packet may well have been flushed from the buffer. 

This now make sense to me.  I’m a bit slow sometimes — I plead old age ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141120/f6b9453d/attachment.sig>

More information about the Oisf-users mailing list