[Oisf-users] Discrepancies in Snort and Suricata alerts
fatema bannatwala
fatema.bannatwala at gmail.com
Fri Oct 5 18:17:01 UTC 2018
Changing $HOME_NET to any in sid 2022813 didn't help though, still not
getting that alert fired.
One difference I had in suricata.yaml when running in offline pcap reading
mode was, I set runmode to "single", while when suricata runs in packet
sniffing mode it's set to "workers".
I tried to set it to "runmode:single" while on interface sniffing mode but
was hit by ~60% capture loss, which makes sense as single threaded suricata
can't handle the traffic flowing through the interface.
The fact that alerts are fired when in offline single threaded mode and
same alerts are not fired when online packet sniffing multi-threaded mode,
makes me think it has to do with multi-threading vs single threaded mode
and how "workers" are capturing packets.
I will keep looking.
(The good thing is that Interrupt/IRQ pinning has helped to reduce capture
loss to 0%)
Thanks,
Fatema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181005/b7722db4/attachment.html>
More information about the Oisf-users
mailing list