[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions

bakul khanna bakulkhanna at gmail.com
Mon Sep 15 16:20:09 UTC 2014 

I tried both (feeding the pcap file from a different machine as well as
feeding it from the same machine running Suricata).

Some more answers/observations:
1. I am not using unix-socket
2. Regardless of the tcp timeout configurations, I cannot get the sid=2016808
to occur closer than 5 min in time.

Thanks.

On Mon, Sep 15, 2014 at 9:41 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Sun, Sep 14, 2014 at 5:22 PM, bakul khanna <bakulkhanna at gmail.com>
> wrote:
> > Thanks Peter.
> >
> > Here are the timeouts from my suricata.yaml file:
> >
> > default:
> >     new: 30
> >     established: 300
> >     closed: 0
> >     emergency-new: 10
> >     emergency-established: 100
> >     emergency-closed: 0
> > tcp:
> >     new: 10
> >     established: 10
> >     closed: 10
> >     emergency-new: 10
> >     emergency-established: 10
> >     emergency-closed: 10
> >
> > I invoke suricata using the following command:
> > suricata -D -c /etc/suricata/suricata.yaml -i eth0 --pidfile
> > /var/run/suricata.pid
> >
> > Following the successful alert for sid=2016808, I also immediately see
> the
> > following alerts:
> > 2210032 - ..Suricata Stream FIN1 F1with wrong seq... (sometimes)
> > 2210045 - ..Suricata stream packet with invalid ack..
> > 2210046 - ..Suricata stream shutdown RST invalid ack...
> >
> > Also, I noticed that I don't have to wait an hour to generate successful
> > 2016808 alerts, I can now generate successive alerts if I wait to 10-15
> min.
> >
> > Thanks,
> >
> > -Bakul
> >
> >
> >
>
> How do you feed the pcaps for reading - tcpreplay?
> Is it from another machine or from the same one that has Suricata running?
>
> thanks
>
> >
> >
> >
> > On Sun, Sep 14, 2014 at 5:37 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >> On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com>
> >> wrote:
> >> > I am experimenting with having Suricata generate an alert, for an ET
> >> > rule
> >> > (sid=2016808), when I perform a  tcpreplay of a pcap file for this
> rule.
> >> >
> >> > The first time after a Suricata bringup, it does generate the alert.
> On
> >> > subsequent replays of the same pcap file it does not generate the
> alert.
> >> > However if I wait a long time (I tried an hour) and then replay the
> pcap
> >> > file, Suricata successfully alerts then. There is no threshold limits
> >> > applied to this rule.
> >> >
> >> > I tried reducing the flow and TCP timeouts in suricata.yaml, but that
> >> > didn't
> >> > seem to help.
> >> >
> >> > Any suggestion on how I can get Suricata to alert successfully on
> >> > successive
> >> > tcpreplays of this pcap file?
> >> >
> >> > Thanks,
> >> >
> >> > -Bakul
> >> >
> >> > _______________________________________________
> >>
> >>
> >>
> >> Hi,
> >>
> >> The way you describe the problem it seems TCP timeouts is the problem.
> >> I can't be sure though.
> >>
> >> Can you please provide your timeout values as set up in yaml and the
> >> set up you use - how do you start Suricata, do you use  unix
> >> socket(most likely the case)...so on?
> >>
> >>
> >>
> >> thanks
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140915/fa336302/attachment-0002.html>

More information about the Oisf-users mailing list