[Oisf-users] Inconsistent Alerting
Andreas Herz
andi at geekosphere.org
Mon Feb 22 21:20:46 UTC 2016
Hi,
On 22/02/16 at 16:29, derek_smithg at yahoo.com wrote:
> I have been running Suricata against several pcaps withdifferent
> yaml configurations and am seeing the total count of alerts changefrom
> one run to another, or even with the same yaml but run at a
> differenttime. Has anyone come across anything similar before?
How do you run suricata?
And can you describe what you expected or what you want to achieve?
> Suricata-2.0.11
Might be worth to test 3.0 :)
> I ran them against 3 pcaps of sizes roughly 100GB, 200GB, and400GB,
> and tallied the alert counts, outputting any that were not the same
> acrossthe board.
Such big pcaps are rather hard to debug/send. Can you narrow down
"strange" behaviour to smaller pcaps that you can also share with us?
> This may be a different issue, but I have looked into 12037,which is
> very similar to 2101633 but with added replace and byte_test
> keywords,and think it might be a false positive. From carving out the
> ip’s involved withit from the pcap and running Suricata on that alone
> it hits that one alertabout 50% of the time. I ran it once with
> alert-debug output and found thepacket it’s supposedly alerting on and
> cannot find the byte pattern that wouldmatch to it.
It would also be helpful to narrow this down to a smaller pcap with that
we can also inform the ET guys if it's really a false positive.
--
Andreas Herz
More information about the Oisf-users
mailing list