[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))

[Peter Manev]

On Wed, Feb 1, 2017 at 4:13 AM, 박경호 <pgh5247 at naver.com> wrote:
>
>
>
> -----Original Message-----
> From: "Peter Manev"<petermanev at gmail.com>
> To: "박경호"<pgh5247 at naver.com>;
> Cc: "Andreas Herz"<andi at geekosphere.org>; "oisf-users at lists.openinfosecfoundation.org"<oisf-users at lists.openinfosecfoundation.org>;
> Sent: 2017-01-31 (화) 18:55:58
> Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
>
>
> On Tue, Jan 31, 2017 at 10:20 AM, 박경호 <pgh5247 at naver.com> wrote:
> >
> > Thank you for your efforts.
> >
> > i was also able to have consistent number of logs/alerts through all the pcap runs (with --runmode=single) with the provided pcap and other pcap files.
> >
> > When i ran the suricata the multiple pcap files with 'autofp runmode', the resulsts were different through all the pcap runs(reassemble memcap was set '2gb')
>
> They should not differ for autofp as well (with the exception of some
> threshold rules) - did you try adjusting the segment's prealloc size
> if you have segment memcap hits in the stats.log?(dont forget to
> reorder the resulting pcap as well)
>
> ==> How can i adjust segment's prealloc size? and how can i know if it is or not to segment memcap hits in the stats.log?
>

With the adjustment that you have previously shown/ attached i think
you should be good
- size: 1460

A hint for not having the right segment size or not enough of it can
be from - tcp.segment_memcap_drop in stats .log

> There was a feature pushed recently to git master that is aiming at
> automating this a bit (
> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1223
> ).
>
> ==> i changed the reassembly memcap and segments in suricata.yaml like following:
>
>
> Thanks
>
>
>
> --
> Regards,
> Peter Manev
>




-- 
Regards,
Peter Manev