[Oisf-users] Question about observation

Greg Grasmehr greg.grasmehr at caltech.edu
Thu Dec 21 19:14:44 UTC 2017


Greetings List,

I am hoping someone can shed some light on what I have observed with
Suricata as outlined below.  I do not have alert throttling enabled.

Given tcpdump -B 102400000 -nn -vvv -i p1p1 -w /tmp/test.pcap

The given is a complete dump of a Myricom 10G interface running SNF+ V3,
with no packets reported dropped by the interface or kernel during
capture, so a complete set of network traffic for a period of time.

When reading that file Suricata consistently misses malicious traffic I
have sent from a remote host.  For example, there might be 8 instances
where an alert should be fired, but only 3 will ever fire, and always
the same three from the same period of time each parse of the file.

Given tcpdump -r /tmp/test.pcap -nn -vvv 'ip host REDACTED and tcp port80' -w /test2.pcap

The given is a subset of the entire pcap file, parsing out only traffic
from my malicious host.  When reading this file Suricata does exactly
the same as it does when reading the complete pcap file, it fires on the
same alerts every time and misses the others - this is repeated exactly
the same each run over either pcap file.

Snort, which is really really slow, will alert on every instance of the
malicious traffic, Suricata, which is exponentially faster does not.  My
guess is that this is a problem with threading but I really have no idea
and am very curious as to the reason this happens.

On another note, is it reasonable to assume that if Suricata can read
say 30 seconds of complete network traffic dump from a flat pcap file in
under 30 seconds with the ruleset that is loaded, that it then has no
problem keeping up with live traffic read off the wire?

Thanks in advance for any information and Happy Holidays.

Greg



More information about the Oisf-users mailing list