[Oisf-users] Discrepancies in Snort and Suricata alerts

Victor Julien lists at inliniac.net
Fri Oct 5 18:25:19 UTC 2018

On 05-10-18 17:54, fatema bannatwala wrote:
> stream:
>   memcap: 64mb 
>   checksum-validation: no     
>   inline: no                   
>   bypass: yes
>   reassembly:
>     memcap: 256mb 
>     depth: 1mb

Do you happen to have a lot of http pipelining (e.g. proxy servers)? In
this case the 1mb depth could make you not inspect a lot of traffic, as
this is (currently) per TCP session and isn't reset per HTTP
transaction. Perhaps trying setting this depth to 0 for a while could be
an interesting test.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list