[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions
bakul khanna
bakulkhanna at gmail.com
Sun Sep 14 15:22:09 UTC 2014
Thanks Peter.
Here are the timeouts from my suricata.yaml file:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 10
established: 10
closed: 10
emergency-new: 10
emergency-established: 10
emergency-closed: 10
I invoke suricata using the following command:
suricata -D -c /etc/suricata/suricata.yaml -i eth0 --pidfile
/var/run/suricata.pid
Following the successful alert for sid=2016808, I also immediately see the
following alerts:
2210032 - ..Suricata Stream FIN1 F1with wrong seq... (sometimes)
2210045 - ..Suricata stream packet with invalid ack..
2210046 - ..Suricata stream shutdown RST invalid ack...
Also, I noticed that I don't have to wait an hour to generate successful
2016808 alerts, I can now generate successive alerts if I wait to 10-15 min.
Thanks,
-Bakul
On Sun, Sep 14, 2014 at 5:37 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com>
> wrote:
> > I am experimenting with having Suricata generate an alert, for an ET rule
> > (sid=2016808), when I perform a tcpreplay of a pcap file for this rule.
> >
> > The first time after a Suricata bringup, it does generate the alert. On
> > subsequent replays of the same pcap file it does not generate the alert.
> > However if I wait a long time (I tried an hour) and then replay the pcap
> > file, Suricata successfully alerts then. There is no threshold limits
> > applied to this rule.
> >
> > I tried reducing the flow and TCP timeouts in suricata.yaml, but that
> didn't
> > seem to help.
> >
> > Any suggestion on how I can get Suricata to alert successfully on
> successive
> > tcpreplays of this pcap file?
> >
> > Thanks,
> >
> > -Bakul
> >
> > _______________________________________________
>
>
>
> Hi,
>
> The way you describe the problem it seems TCP timeouts is the problem.
> I can't be sure though.
>
> Can you please provide your timeout values as set up in yaml and the
> set up you use - how do you start Suricata, do you use unix
> socket(most likely the case)...so on?
>
>
>
> thanks
>
>
>
>
>
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140914/3f4c9a06/attachment-0002.html>
More information about the Oisf-users
mailing list