[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions

Peter Manev petermanev at gmail.com
Mon Sep 15 13:41:47 UTC 2014 

On Sun, Sep 14, 2014 at 5:22 PM, bakul khanna <bakulkhanna at gmail.com> wrote:
> Thanks Peter.
>
> Here are the timeouts from my suricata.yaml file:
>
> default:
>     new: 30
>     established: 300
>     closed: 0
>     emergency-new: 10
>     emergency-established: 100
>     emergency-closed: 0
> tcp:
>     new: 10
>     established: 10
>     closed: 10
>     emergency-new: 10
>     emergency-established: 10
>     emergency-closed: 10
>
> I invoke suricata using the following command:
> suricata -D -c /etc/suricata/suricata.yaml -i eth0 --pidfile
> /var/run/suricata.pid
>
> Following the successful alert for sid=2016808, I also immediately see the
> following alerts:
> 2210032 - ..Suricata Stream FIN1 F1with wrong seq... (sometimes)
> 2210045 - ..Suricata stream packet with invalid ack..
> 2210046 - ..Suricata stream shutdown RST invalid ack...
>
> Also, I noticed that I don't have to wait an hour to generate successful
> 2016808 alerts, I can now generate successive alerts if I wait to 10-15 min.
>
> Thanks,
>
> -Bakul
>
>
>

How do you feed the pcaps for reading - tcpreplay?
Is it from another machine or from the same one that has Suricata running?

thanks

>
>
>
> On Sun, Sep 14, 2014 at 5:37 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com>
>> wrote:
>> > I am experimenting with having Suricata generate an alert, for an ET
>> > rule
>> > (sid=2016808), when I perform a  tcpreplay of a pcap file for this rule.
>> >
>> > The first time after a Suricata bringup, it does generate the alert. On
>> > subsequent replays of the same pcap file it does not generate the alert.
>> > However if I wait a long time (I tried an hour) and then replay the pcap
>> > file, Suricata successfully alerts then. There is no threshold limits
>> > applied to this rule.
>> >
>> > I tried reducing the flow and TCP timeouts in suricata.yaml, but that
>> > didn't
>> > seem to help.
>> >
>> > Any suggestion on how I can get Suricata to alert successfully on
>> > successive
>> > tcpreplays of this pcap file?
>> >
>> > Thanks,
>> >
>> > -Bakul
>> >
>> > _______________________________________________
>>
>>
>>
>> Hi,
>>
>> The way you describe the problem it seems TCP timeouts is the problem.
>> I can't be sure though.
>>
>> Can you please provide your timeout values as set up in yaml and the
>> set up you use - how do you start Suricata, do you use  unix
>> socket(most likely the case)...so on?
>>
>>
>>
>> thanks
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list