[Oisf-users] multiple alerts being logged to unified2

[Russell Fulton]

Hi

Is there a way to tell suri to log a single alert per ‘event’.  I am now seeing lots of cases where I get multiple alerts with different packet data for a single detection event.  Most of these are for rules where the detection would have occurred on the reassembled stream so I assume that suri just dumps the stream buffer because it does not know which packet the data was in.

Many of these are for compressed content so the raw packet data is pretty useless anyway.  Since I am now getting suri to log pcaps and sucking them into moloch (spooling them to /run/shm) If I want to look at the stream I can get it from moloch.  BTW the packet capture spooled to moloch  seems to work well but it is still early days.

I am using both fast and unified2 outputs.  I will probably soon move to eve and throw the lot in ES.  Will that suffer from the multiple alerts too?  I am guessing not since iirc eve does not log data by default.

Russell