[Oisf-users] Discrepancies in Snort and Suricata alerts
Victor Julien
lists at inliniac.net
Fri Oct 5 19:05:49 UTC 2018
On 05-10-18 20:17, fatema bannatwala wrote:
> Changing $HOME_NET to any in sid 2022813 didn't help though, still not
> getting that alert fired.
> One difference I had in suricata.yaml when running in offline pcap
> reading mode was, I set runmode to "single", while when suricata runs in
> packet sniffing mode it's set to "workers".
>
> I tried to set it to "runmode:single" while on interface sniffing mode
> but was hit by ~60% capture loss, which makes sense as single threaded
> suricata can't handle the traffic flowing through the interface.
>
> The fact that alerts are fired when in offline single threaded mode and
> same alerts are not fired when online packet sniffing multi-threaded
> mode, makes me think it has to do with multi-threading vs single
> threaded mode and how "workers" are capturing packets.
>
> I will keep looking.
>
> (The good thing is that Interrupt/IRQ pinning has helped to reduce
> capture loss to 0%)
Would you be able to test this pull request?
https://github.com/OISF/suricata/pull/3497
It adds a counter 'tcp.wrong_thread' that is incremented if TCP packets
come in on the wrong thread.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list