[Oisf-users] Suricata isn't passing all the packets from the pcap
Simon Janeshvili
sikking23 at yahoo.com
Tue Apr 4 11:49:46 UTC 2017
My command is: sudo suricata -c /etc/suricata/suricata-debian.yaml -r /home/pi/now.pcap
On Tuesday, April 4, 2017, 5:27:32 PM GMT+3, Peter Manev <petermanev at gmail.com> wrote:On Mon, Apr 3, 2017 at 11:38 AM, Simon Janeshvili <sikking23 at yahoo.com> wrote:
> I am using Suricata 3.2.
>
> the Lua script:
> <code>
> function init (args)
>
> local needs = {}
>
> needs["packet"] = tostring(true)
>
> needs["payload"] = tostring(true)
>
> return needs
>
> end
>
>
>
> function match(args)
>
> print("********************************")
>
> return 1
>
> end
>
>
>
> return 0
> </code>
>
> very simple one, and this is happening in every pcap I'm using, I just count
> the number of lines and see there is a difference.
> By the way Suricata still telling at the end the right amount(as it says in
> wire-shark) but the number of lines are way off.
How do you start/run that Suricata test?
How do you do the test sequence ?
Can you share the pcap?
Thank you
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/706ae9ab/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: now.pcap
Type: application/octet-stream
Size: 5390 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/706ae9ab/attachment-0002.obj>
More information about the Oisf-users
mailing list