[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions
Peter Manev
petermanev at gmail.com
Sun Sep 14 09:37:58 UTC 2014
On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com> wrote:
> I am experimenting with having Suricata generate an alert, for an ET rule
> (sid=2016808), when I perform a tcpreplay of a pcap file for this rule.
>
> The first time after a Suricata bringup, it does generate the alert. On
> subsequent replays of the same pcap file it does not generate the alert.
> However if I wait a long time (I tried an hour) and then replay the pcap
> file, Suricata successfully alerts then. There is no threshold limits
> applied to this rule.
>
> I tried reducing the flow and TCP timeouts in suricata.yaml, but that didn't
> seem to help.
>
> Any suggestion on how I can get Suricata to alert successfully on successive
> tcpreplays of this pcap file?
>
> Thanks,
>
> -Bakul
>
> _______________________________________________
Hi,
The way you describe the problem it seems TCP timeouts is the problem.
I can't be sure though.
Can you please provide your timeout values as set up in yaml and the
set up you use - how do you start Suricata, do you use unix
socket(most likely the case)...so on?
thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list