[Oisf-users] Discrepancies in Snort and Suricata alerts
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Oct 5 18:20:40 UTC 2018
How about we make Suricata write us a pcap in afpacket workers mode? I’m pretty sure a rule can do that.
> On Oct 5, 2018, at 8:17 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Changing $HOME_NET to any in sid 2022813 didn't help though, still not getting that alert fired.
> One difference I had in suricata.yaml when running in offline pcap reading mode was, I set runmode to "single", while when suricata runs in packet sniffing mode it's set to "workers".
>
> I tried to set it to "runmode:single" while on interface sniffing mode but was hit by ~60% capture loss, which makes sense as single threaded suricata can't handle the traffic flowing through the interface.
>
> The fact that alerts are fired when in offline single threaded mode and same alerts are not fired when online packet sniffing multi-threaded mode, makes me think it has to do with multi-threading vs single threaded mode and how "workers" are capturing packets.
>
> I will keep looking.
>
> (The good thing is that Interrupt/IRQ pinning has helped to reduce capture loss to 0%)
>
> Thanks,
> Fatema
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list