[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))

박경호 pgh5247 at naver.com
Tue Jan 24 06:01:03 UTC 2017


Sorry to send an email which the huge file to be attached.
Instead of an email, i will share the google drive.
the link is https://drive.google.com/file/d/0B4Mdb8bpuRlnU282SzRmRGQ3VXc/view?usp=sharing.
 
 
-----Original Message-----
From: "Andreas Herz"<andi at geekosphere.org> 
To: <oisf-users at lists.openinfosecfoundation.org>; 
Cc: 
Sent: 2017-01-24 (화) 05:11:57
Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
 
You can't attach such huge files on mails to the mailinglist. Please try
to upload them somehwere you trust or try to reduce them to like 10 or
20mb so you can send those to us directly via mail (not the
mailinglist!)

On 20/01/17 at 13:11, 박경호 wrote:
>  대용량 첨부파일 1개(106MB)대용량 첨부 파일은 30일간 보관 / 100회까지 다운로드 가능  testpcap.pcap 106MB  다운로드 기간: 2017/01/20 ~ 2017/02/19I attached the pcap file to use  for testing.
> file size is 111MBytes.
>  
>  
>  
> -----Original Message-----
> From: "Andreas Herz"<andi at geekosphere.org> 
> To: <oisf-users at lists.openinfosecfoundation.org>; 
> Cc: 
> Sent: 2017-01-20 (금) 06:13:22
> Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
>  
> On 16/01/17 at 17:15, 박경호 wrote:
> > I did the test to use two smaller pcap files. one is 111MB and another is 66MB.
> > when i run the suricata twice with 111MB pcap file, the alert messages are different. 
> > But when i run the suricata twice with 66MB pcap file, the alert messagte is same.
> > I merged the two pcap files(45MB, 66MB) to one pcap file(111MB) using wire-shark.
> 
> Can you share thoe 11MB pcap here or with us from the OISF team?
> 
> > Is the this issue  computing resources?(specially ram memory issue?)
> 
> I wouldn't say for sure it's an memory issue.
> 
> > Can you recommend me  how much memory i need in the following situation?
> > when i check some pcap files which the size is more than 1GB with suricata,  how much memory do i  need? 
> 
> 8GB are not that low IMHO.
> 
> > And,
> > If I add the memory in my computer, which parts are changed in configuration file(suricata.yaml)?
> 
> Without you changing it, nothing.
> 
> >  
> > -----Original Message-----
> > From: "박경호"<pgh5247 at naver.com> 
> > To: "Andreas Herz"<andi at geekosphere.org>; <oisf-users at lists.openinfosecfoundation.org>; 
> > Cc: 
> > Sent: 2017-01-16 (월) 16:17:33
> > Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
> >  
> >  
> > -----Original Message-----
> > From: "Andreas Herz"<andi at geekosphere.org> 
> > To: <oisf-users at lists.openinfosecfoundation.org>; 
> > Cc: 
> > Sent: 2017-01-14 (토) 06:19:16
> > Subject: Re: [Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
> >  
> > On 12/01/17 at 10:48, 박경호 wrote:
> > > After upgrading the version from 2.0.11 to 3.2, I did the test again.
> > > Unfortunately, alert messages were different whenever the suricata was
> > > run with same a pcap-file.
> > 
> > Can you be more verbose about that?
> > ==> i run the suricata like the following command : suricata -c suricata.yaml -r testpcap.pcap
> >       ( i never changed the configure file(.yaml)).
> > 
> > > I didn't change the configure file(suricata.yaml) and pcap-file's size
> > > is 693MB.  (pc memory is 8GB, cpu is intel i5-4460, os is Ubuntu
> > > 16.06)
> > 
> > Can you try to reproduce the issue with a smaller pcap file that you can
> > share with us?
> > ==> After i try to reproduce with a smaller pcap file, i will share the result and pcap file.
> >   
> > > please explain to me about this situation.
> > 
> > I still need more details about your suricata configuration, how do you
> > run suricata, what did you configure?
> > 
> > An easy way to reproduce that for us will help to find a solution (after
> > we found what's the real issue you have).
> > 
> > -- 
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
> > 
> > 
> 
> -- 
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170124/ee7b9cea/attachment-0002.html>


More information about the Oisf-users mailing list