[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))

박경호 pgh5247 at naver.com
Wed Feb 1 03:13:03 UTC 2017 

 
-----Original Message-----
From: "Peter Manev"<petermanev at gmail.com> 
To: "박경호"<pgh5247 at naver.com>; 
Cc: "Andreas Herz"<andi at geekosphere.org>; "oisf-users at lists.openinfosecfoundation.org"<oisf-users at lists.openinfosecfoundation.org>; 
Sent: 2017-01-31 (화) 18:55:58
Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
 
On Tue, Jan 31, 2017 at 10:20 AM, 박경호 <pgh5247 at naver.com> wrote:
>
> Thank you for your efforts.
>
> i was also able to have consistent number of logs/alerts through all the pcap runs (with --runmode=single) with the provided pcap and other pcap files.
>
> When i ran the suricata the multiple pcap files with 'autofp runmode', the resulsts were different through all the pcap runs(reassemble memcap was set '2gb')

They should not differ for autofp as well (with the exception of some
threshold rules) -  did you try adjusting the segment's prealloc size
if you have segment memcap hits in the stats.log?(dont forget to
reorder the resulting pcap as well)
==> How can i adjust segment's prealloc size? and how can i know if it is or not to segment memcap hits in the stats.log?

There was  a feature pushed recently to git master that is aiming at
automating this a bit (
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1223
).
==> i changed the reassembly memcap and segments in suricata.yaml like following:


Thanks



-- 
Regards,
Peter Manev
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170201/b2aca6b0/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1485918730741.png
Type: image/png
Size: 14645 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170201/b2aca6b0/attachment-0002.png>

More information about the Oisf-users mailing list