[Oisf-users] Inconsistent results from fast.log file
Tom DeCanio
decanio.tom at gmail.com
Wed Mar 15 00:13:36 UTC 2017
Try adding --runmode=single to your command line.
On Tue, Mar 14, 2017 at 3:37 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Tue, Mar 14, 2017 at 8:54 PM, <secres at linuxmail.org> wrote:
> >
> > Do you use rules with threshold?
> >
> > Yes, there are a few rules with thresholds but I'm not sure how that
> would
> > vary the alert count since its the same PCAP being read in each time.
> >
>
> It seems related to -
> https://redmine.openinfosecfoundation.org/issues/1772
>
> (please include the list in your reply :) )
>
> > Sent: Tuesday, March 14, 2017 at 12:39 PM
> > From: "Peter Manev" <petermanev at gmail.com>
> > To: secres at linuxmail.org
> > Cc: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Inconsistent results from fast.log file
> >
> >
> > On 14 Mar 2017, at 18:03, secres at linuxmail.org wrote:
> >
> >
> >> /opt/suricata/bin/suricata -V
> > This is Suricata version 3.2beta1 RELEASE
> >
> > /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml
> -k
> > none -r $PCAP -S $FILE
> >
> > I've been testing out Suricata for a little bit now and I've noticed
> some
> > inconsistent results from alerts in the fast.log file. When I read in a
> > pcap using -r I end up with a total alert count of 68-72 alerts in the
> file.
> > I have been using the same PCAP file and same rules duing each test. I
> > pulled some information from the stats.log file and noticed along with
> the
> > detect.alert changing, some of the other values changed. I would think
> that
> > reading in a PCAP would result in the same information each time. Is
> this
> > typical, an error, or just some kind of misconfiguration in the
> > suricata.yaml fille.
> >
> >
> >
> > Do you use rules with threshold?
> >
> >
> > Also, I added --simulated-ips to the command line option and on the same
> > PCAP and rules file I end up with 128-132 alerts. It still varies the
> same
> > way as before but there's a much greater number of alerts, any ideas?
> >
> >
> > Date: 3/14/2017 -- 09:12:45 (uptime: 0d, 00h 00m 00s)
> > ...
> > detect.alert | Total |
> 68
> > ...
> > app_layer.flow.http | Total | 62
> > ...
> > flow.spare | Total |
> > 9996
> > flow_mgr.flows_checked | Total | 23
> > flow_mgr.flows_notimeout | Total | 23
> > flow_mgr.rows_checked | Total | 65536
> > flow_mgr.rows_skipped | Total | 65513
> > flow_mgr.rows_maxlen | Total | 1
> > tcp.memuse | Total |
> > 819200
> > tcp.reassembly_memuse | Total | 12320544
> > flow.memuse | Total |
> > 7175616
> >
> >
> > Date: 3/14/2017 -- 09:50:02 (uptime: 0d, 00h 00m 00s)
> > ...
> > detect.alert | Total |
> 72
> > ...
> > app_layer.flow.http | Total | 64
> > ...
> > flow.spare | Total |
> > 9995
> > flow_mgr.flows_checked | Total | 19
> > flow_mgr.flows_notimeout | Total | 19
> > flow_mgr.rows_checked | Total | 65536
> > flow_mgr.rows_skipped | Total | 65517
> > flow_mgr.rows_maxlen | Total | 1
> > tcp.memuse | Total |
> > 819200
> > tcp.reassembly_memuse | Total |
> 12320544
> > flow.memuse | Total |
> > 7180056
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170314/f952c008/attachment-0002.html>
More information about the Oisf-users
mailing list