[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions

bakul khanna bakulkhanna at gmail.com
Sun Sep 14 15:22:09 UTC 2014 

Thanks Peter.

Here are the timeouts from my suricata.yaml file:

default:
    new: 30
    established: 300
    closed: 0
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
tcp:
    new: 10
    established: 10
    closed: 10
    emergency-new: 10
    emergency-established: 10
    emergency-closed: 10

I invoke suricata using the following command:
suricata -D -c /etc/suricata/suricata.yaml -i eth0 --pidfile
/var/run/suricata.pid

Following the successful alert for sid=2016808, I also immediately see the
following alerts:
2210032 - ..Suricata Stream FIN1 F1with wrong seq... (sometimes)
2210045 - ..Suricata stream packet with invalid ack..
2210046 - ..Suricata stream shutdown RST invalid ack...

Also, I noticed that I don't have to wait an hour to generate successful
2016808 alerts, I can now generate successive alerts if I wait to 10-15 min.

Thanks,

-Bakul






On Sun, Sep 14, 2014 at 5:37 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com>
> wrote:
> > I am experimenting with having Suricata generate an alert, for an ET rule
> > (sid=2016808), when I perform a  tcpreplay of a pcap file for this rule.
> >
> > The first time after a Suricata bringup, it does generate the alert. On
> > subsequent replays of the same pcap file it does not generate the alert.
> > However if I wait a long time (I tried an hour) and then replay the pcap
> > file, Suricata successfully alerts then. There is no threshold limits
> > applied to this rule.
> >
> > I tried reducing the flow and TCP timeouts in suricata.yaml, but that
> didn't
> > seem to help.
> >
> > Any suggestion on how I can get Suricata to alert successfully on
> successive
> > tcpreplays of this pcap file?
> >
> > Thanks,
> >
> > -Bakul
> >
> > _______________________________________________
>
>
>
> Hi,
>
> The way you describe the problem it seems TCP timeouts is the problem.
> I can't be sure though.
>
> Can you please provide your timeout values as set up in yaml and the
> set up you use - how do you start Suricata, do you use  unix
> socket(most likely the case)...so on?
>
>
>
> thanks
>
>
>
>
>
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140914/3f4c9a06/attachment-0002.html>

More information about the Oisf-users mailing list