[Oisf-users] Inconsistent results from fast.log file

Peter Manev petermanev at gmail.com
Tue Mar 14 18:39:30 UTC 2017 


> On 14 Mar 2017, at 18:03, secres at linuxmail.org wrote:
> 
> > /opt/suricata/bin/suricata -V
> This is Suricata version 3.2beta1 RELEASE
>  
> /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml -k none -r $PCAP -S $FILE
>  
> I've  been testing out Suricata for a little bit now and I've noticed some inconsistent results from alerts in the fast.log file.  When I read in a pcap using -r I end up with a total alert count of 68-72 alerts in the file.  I have been using the same PCAP file and same rules duing each test.  I pulled some information from the stats.log file and noticed along with the detect.alert changing, some of the other values changed.  I would think that reading in a PCAP would result in the same information each time.  Is this typical, an error, or just some kind of misconfiguration in the suricata.yaml fille.
>  

Do you use rules with threshold?

> Also,  I added --simulated-ips to the command line option and on the same PCAP and rules file I end up with 128-132 alerts.  It still varies the same way as before but there's a much greater number of alerts, any ideas?
>  
> 
> Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)
> ...
> detect.alert                               | Total                     | 68
> ...
> app_layer.flow.http                    | Total                     | 62
> ...
> flow.spare                                 | Total                     | 9996
> flow_mgr.flows_checked             | Total                     | 23
> flow_mgr.flows_notimeout          | Total                     | 23
> flow_mgr.rows_checked             | Total                     | 65536
> flow_mgr.rows_skipped              | Total                     | 65513
> flow_mgr.rows_maxlen               | Total                     | 1
> tcp.memuse                               | Total                     | 819200
> tcp.reassembly_memuse             | Total                     | 12320544
> flow.memuse                              | Total                     | 7175616
>  
>  
> Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)
> ...
> detect.alert                               | Total                     | 72
> ...
> app_layer.flow.http                    | Total                     | 64
> ...
> flow.spare                                 | Total                     | 9995
> flow_mgr.flows_checked             | Total                     | 19
> flow_mgr.flows_notimeout           | Total                     | 19
> flow_mgr.rows_checked               | Total                     | 65536
> flow_mgr.rows_skipped                | Total                     | 65517
> flow_mgr.rows_maxlen                 | Total                     | 1
> tcp.memuse                                 | Total                     | 819200
> tcp.reassembly_memuse               | Total                     | 12320544
> flow.memuse                                | Total                     | 7180056
>  
> Thanks!
>  
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170314/6b2032f4/attachment-0002.html>

More information about the Oisf-users mailing list