[Oisf-users] Question about observation

Michał Purzyński michalpurzynski1 at gmail.com
Fri Dec 22 00:13:35 UTC 2017 

Can you share this pcap?

> On Dec 21, 2017, at 11:14 AM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> 
> Greetings List,
> 
> I am hoping someone can shed some light on what I have observed with
> Suricata as outlined below.  I do not have alert throttling enabled.
> 
> Given tcpdump -B 102400000 -nn -vvv -i p1p1 -w /tmp/test.pcap
> 
> The given is a complete dump of a Myricom 10G interface running SNF+ V3,
> with no packets reported dropped by the interface or kernel during
> capture, so a complete set of network traffic for a period of time.
> 
> When reading that file Suricata consistently misses malicious traffic I
> have sent from a remote host.  For example, there might be 8 instances
> where an alert should be fired, but only 3 will ever fire, and always
> the same three from the same period of time each parse of the file.
> 
> Given tcpdump -r /tmp/test.pcap -nn -vvv 'ip host REDACTED and tcp port80' -w /test2.pcap
> 
> The given is a subset of the entire pcap file, parsing out only traffic
> from my malicious host.  When reading this file Suricata does exactly
> the same as it does when reading the complete pcap file, it fires on the
> same alerts every time and misses the others - this is repeated exactly
> the same each run over either pcap file.
> 
> Snort, which is really really slow, will alert on every instance of the
> malicious traffic, Suricata, which is exponentially faster does not.  My
> guess is that this is a problem with threading but I really have no idea
> and am very curious as to the reason this happens.
> 
> On another note, is it reasonable to assume that if Suricata can read
> say 30 seconds of complete network traffic dump from a flat pcap file in
> under 30 seconds with the ruleset that is loaded, that it then has no
> problem keeping up with live traffic read off the wire?
> 
> Thanks in advance for any information and Happy Holidays.
> 
> Greg
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list