[Oisf-users] [Question] suricata test with pcap-file(After upgrading the suricata version(2.0.11 --> 3.2))
Peter Manev
petermanev at gmail.com
Tue Jan 31 09:55:58 UTC 2017
On Tue, Jan 31, 2017 at 10:20 AM, 박경호 <pgh5247 at naver.com> wrote:
>
> Thank you for your efforts.
>
> i was also able to have consistent number of logs/alerts through all the pcap runs (with --runmode=single) with the provided pcap and other pcap files.
>
> When i ran the suricata the multiple pcap files with 'autofp runmode', the resulsts were different through all the pcap runs(reassemble memcap was set '2gb')
They should not differ for autofp as well (with the exception of some
threshold rules) - did you try adjusting the segment's prealloc size
if you have segment memcap hits in the stats.log?(dont forget to
reorder the resulting pcap as well)
There was a feature pushed recently to git master that is aiming at
automating this a bit (
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1223
).
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list