[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions
bakul khanna
bakulkhanna at gmail.com
Sun Sep 14 00:35:25 UTC 2014
I am experimenting with having Suricata generate an alert, for an ET rule
(sid=2016808), when I perform a tcpreplay of a pcap file for this rule.
The first time after a Suricata bringup, it does generate the alert. On
subsequent replays of the same pcap file it does not generate the alert.
However if I wait a long time (I tried an hour) and then replay the pcap
file, Suricata successfully alerts then. There is no threshold limits
applied to this rule.
I tried reducing the flow and TCP timeouts in suricata.yaml, but that
didn't seem to help.
Any suggestion on how I can get Suricata to alert successfully on
successive tcpreplays of this pcap file?
Thanks,
-Bakul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140913/4b67b255/attachment.html>
More information about the Oisf-users
mailing list