[Oisf-users] EXTERNAL: Re: Making Suricata Alert Per Matching Packet
Cooper F. Nelson
cnelson at ucsd.edu
Tue Apr 12 16:27:16 UTC 2016
I suspect it's just that the stream tracker is designed to only generate
one alert per flow. I would even say this is expected behavior.
-Coop
On 4/12/2016 7:51 AM, Rasmor, Zachary R wrote:
> Hi Shane,
>
> Good questions, I've had some similar ones myself and haven't totally gotten
> to the bottom of them yet. As a test, you might try adding "flow: no_stream"
> (for inspecting packets only) and "flow: only_stream" (for streams only) and
> seeing how your results change in each case.
>
> Zach
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160412/24c133a9/attachment-0002.sig>
More information about the Oisf-users
mailing list