[Oisf-users] Help on suricata config file, http alarm stop firing after some minutes

Peter Manev petermanev at gmail.com
Tue May 5 22:12:09 UTC 2015


On Fri, May 1, 2015 at 11:02 PM, st3fan0 ste <st3fan_01 at hotmail.com> wrote:
> hi all,
>
> i need some help because iam totaly stuck. i attach my suricata config file,
> my issue is that after some minutes that i run suricata, http inspection
> seems broken, in particulary i do some manual testing for triggering rules
> that dected access to .htaccess file, but suricata detect only the first 2 o
> 3 attempt and then nothing else even if i test from different ip and after
> 10 or 60 minutes the results is the same, i can see others rules firing like
> ip  only rules and dns rules but none http rules.
>
> i appreciate any type of help, advice or tuning settings, because i have
> done so many test.
>
> thanks in advance
>
> Probe HW:
> 8 CPU
> 16 gb RAM
> 300 HD SAS
> 4 nic gigabit
>
> total traffic: 50 mbs suddivided to 4 NICS
>
> i enabled eve logging and it shows that after some minuts dected alerts drop
> drastrically
>
> in stats.log tcp.drop show 0 packets

Can you please share your start command line?
What kernel version/OS do you use?
Which one do you use  - af-packet or pf-ring ? (or you are just
testing with both)

also - what is in rule-files.yaml ? (is it just rules)


thanks

>
> Regards
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list