[Oisf-users] Issue with having Suricata alert successfully on successive creation of alert conditions

Peter Manev petermanev at gmail.com
Mon Sep 15 17:01:16 UTC 2014 

On Mon, Sep 15, 2014 at 6:20 PM, bakul khanna <bakulkhanna at gmail.com> wrote:
> I tried both (feeding the pcap file from a different machine as well as
> feeding it from the same machine running Suricata).
>
> Some more answers/observations:
> 1. I am not using unix-socket
> 2. Regardless of the tcp timeout configurations, I cannot get the
> sid=2016808 to occur closer than 5 min in time.
>

Two suggestions to consider:
1 - is all NIC offloading disabled? (when you try it on the same machine)
2 - decrease the "chunk size" config parameter in suricata.yaml.

thanks

> Thanks.
>
> On Mon, Sep 15, 2014 at 9:41 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Sun, Sep 14, 2014 at 5:22 PM, bakul khanna <bakulkhanna at gmail.com>
>> wrote:
>> > Thanks Peter.
>> >
>> > Here are the timeouts from my suricata.yaml file:
>> >
>> > default:
>> >     new: 30
>> >     established: 300
>> >     closed: 0
>> >     emergency-new: 10
>> >     emergency-established: 100
>> >     emergency-closed: 0
>> > tcp:
>> >     new: 10
>> >     established: 10
>> >     closed: 10
>> >     emergency-new: 10
>> >     emergency-established: 10
>> >     emergency-closed: 10
>> >
>> > I invoke suricata using the following command:
>> > suricata -D -c /etc/suricata/suricata.yaml -i eth0 --pidfile
>> > /var/run/suricata.pid
>> >
>> > Following the successful alert for sid=2016808, I also immediately see
>> > the
>> > following alerts:
>> > 2210032 - ..Suricata Stream FIN1 F1with wrong seq... (sometimes)
>> > 2210045 - ..Suricata stream packet with invalid ack..
>> > 2210046 - ..Suricata stream shutdown RST invalid ack...
>> >
>> > Also, I noticed that I don't have to wait an hour to generate successful
>> > 2016808 alerts, I can now generate successive alerts if I wait to 10-15
>> > min.
>> >
>> > Thanks,
>> >
>> > -Bakul
>> >
>> >
>> >
>>
>> How do you feed the pcaps for reading - tcpreplay?
>> Is it from another machine or from the same one that has Suricata running?
>>
>> thanks
>>
>> >
>> >
>> >
>> > On Sun, Sep 14, 2014 at 5:37 AM, Peter Manev <petermanev at gmail.com>
>> > wrote:
>> >>
>> >> On Sun, Sep 14, 2014 at 2:35 AM, bakul khanna <bakulkhanna at gmail.com>
>> >> wrote:
>> >> > I am experimenting with having Suricata generate an alert, for an ET
>> >> > rule
>> >> > (sid=2016808), when I perform a  tcpreplay of a pcap file for this
>> >> > rule.
>> >> >
>> >> > The first time after a Suricata bringup, it does generate the alert.
>> >> > On
>> >> > subsequent replays of the same pcap file it does not generate the
>> >> > alert.
>> >> > However if I wait a long time (I tried an hour) and then replay the
>> >> > pcap
>> >> > file, Suricata successfully alerts then. There is no threshold limits
>> >> > applied to this rule.
>> >> >
>> >> > I tried reducing the flow and TCP timeouts in suricata.yaml, but that
>> >> > didn't
>> >> > seem to help.
>> >> >
>> >> > Any suggestion on how I can get Suricata to alert successfully on
>> >> > successive
>> >> > tcpreplays of this pcap file?
>> >> >
>> >> > Thanks,
>> >> >
>> >> > -Bakul
>> >> >
>> >> > _______________________________________________
>> >>
>> >>
>> >>
>> >> Hi,
>> >>
>> >> The way you describe the problem it seems TCP timeouts is the problem.
>> >> I can't be sure though.
>> >>
>> >> Can you please provide your timeout values as set up in yaml and the
>> >> set up you use - how do you start Suricata, do you use  unix
>> >> socket(most likely the case)...so on?
>> >>
>> >>
>> >>
>> >> thanks
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list