[Oisf-users] Discrepancies in Snort and Suricata alerts

Victor Julien lists at inliniac.net
Fri Oct 5 19:07:02 UTC 2018 

On 05-10-18 20:20, Michał Purzyński wrote:
> How about we make Suricata write us a pcap in afpacket workers mode? I’m pretty sure a rule can do that.

Our pcap logging is all or nothing currently. All might be interesting
still, but could quickly become overwhelming.

Cheers,
Victor

> 
>> On Oct 5, 2018, at 8:17 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>>
>> Changing $HOME_NET to any in sid 2022813 didn't help though, still not getting that alert fired.
>> One difference I had in suricata.yaml when running in offline pcap reading mode was, I set runmode to "single", while when suricata runs in packet sniffing mode it's set to "workers".
>>
>> I tried to set it to "runmode:single" while on interface sniffing mode but was hit by ~60% capture loss, which makes sense as single threaded suricata can't handle the traffic flowing through the interface. 
>>
>> The fact that alerts are fired when in offline single threaded mode and same alerts are not fired when online packet sniffing multi-threaded mode, makes me think it has to do with multi-threading vs single threaded mode and how "workers" are capturing packets.
>>
>> I will keep looking.
>>
>> (The good thing is that Interrupt/IRQ pinning has helped to reduce capture loss to 0%)
>>
>> Thanks,
>> Fatema 
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list