[Oisf-users] Discrepancies in Snort and Suricata alerts
Victor Julien
lists at inliniac.net
Fri Oct 5 18:25:19 UTC 2018
On 05-10-18 17:54, fatema bannatwala wrote:
> stream:
> memcap: 64mb
> checksum-validation: no
> inline: no
> bypass: yes
> reassembly:
> memcap: 256mb
> depth: 1mb
Do you happen to have a lot of http pipelining (e.g. proxy servers)? In
this case the 1mb depth could make you not inspect a lot of traffic, as
this is (currently) per TCP session and isn't reset per HTTP
transaction. Perhaps trying setting this depth to 0 for a while could be
an interesting test.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list