[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))

박경호 pgh5247 at naver.com
Fri Jan 20 04:11:16 UTC 2017


 대용량 첨부파일 1개(106MB)대용량 첨부 파일은 30일간 보관 / 100회까지 다운로드 가능  testpcap.pcap 106MB  다운로드 기간: 2017/01/20 ~ 2017/02/19I attached the pcap file to use  for testing.
file size is 111MBytes.
 
 
 
-----Original Message-----
From: "Andreas Herz"<andi at geekosphere.org> 
To: <oisf-users at lists.openinfosecfoundation.org>; 
Cc: 
Sent: 2017-01-20 (금) 06:13:22
Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
 
On 16/01/17 at 17:15, 박경호 wrote:
> I did the test to use two smaller pcap files. one is 111MB and another is 66MB.
> when i run the suricata twice with 111MB pcap file, the alert messages are different. 
> But when i run the suricata twice with 66MB pcap file, the alert messagte is same.
> I merged the two pcap files(45MB, 66MB) to one pcap file(111MB) using wire-shark.

Can you share thoe 11MB pcap here or with us from the OISF team?

> Is the this issue  computing resources?(specially ram memory issue?)

I wouldn't say for sure it's an memory issue.

> Can you recommend me  how much memory i need in the following situation?
> when i check some pcap files which the size is more than 1GB with suricata,  how much memory do i  need? 

8GB are not that low IMHO.

> And,
> If I add the memory in my computer, which parts are changed in configuration file(suricata.yaml)?

Without you changing it, nothing.

>  
> -----Original Message-----
> From: "박경호"<pgh5247 at naver.com> 
> To: "Andreas Herz"<andi at geekosphere.org>; <oisf-users at lists.openinfosecfoundation.org>; 
> Cc: 
> Sent: 2017-01-16 (월) 16:17:33
> Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
>  
>  
> -----Original Message-----
> From: "Andreas Herz"<andi at geekosphere.org> 
> To: <oisf-users at lists.openinfosecfoundation.org>; 
> Cc: 
> Sent: 2017-01-14 (토) 06:19:16
> Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
>  
> On 12/01/17 at 10:48, 박경호 wrote:
> > After upgrading the version from 2.0.11 to 3.2, I did the test again.
> > Unfortunately, alert messages were different whenever the suricata was
> > run with same a pcap-file.
> 
> Can you be more verbose about that?
> ==> i run the suricata like the following command : suricata -c suricata.yaml -r testpcap.pcap
>       ( i never changed the configure file(.yaml)).
> 
> > I didn't change the configure file(suricata.yaml) and pcap-file's size
> > is 693MB.  (pc memory is 8GB, cpu is intel i5-4460, os is Ubuntu
> > 16.06)
> 
> Can you try to reproduce the issue with a smaller pcap file that you can
> share with us?
> ==> After i try to reproduce with a smaller pcap file, i will share the result and pcap file.
>   
> > please explain to me about this situation.
> 
> I still need more details about your suricata configuration, how do you
> run suricata, what did you configure?
> 
> An easy way to reproduce that for us will help to find a solution (after
> we found what's the real issue you have).
> 
> -- 
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
> 
> 

-- 
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170120/6d645f19/attachment-0002.html>


More information about the Oisf-users mailing list