[Oisf-users] about alerts and pcap-log
fyshine at sina.cn
fyshine at sina.cn
Thu Jul 18 02:32:18 UTC 2019
I test some rules by the suricata, i find it's strange;My english is a little poor, please forgive me
rule alert tcp any any -> any any ( msg:"test1", sid:100001; )should not alert every packet in this tcp flow, but the result is just two alerts one is syn , other is syn ack, i am not find the reson
capture i use nfq to capture packet; suricata runmode inline nfqueue;the packets counts and bytes in the two place is very different, i understand tcp overlap, but why the bytes is different
pcap-log i observe the flow use wireshark,there is no ethernet information ,just raw packet data, why is this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190718/bf732ea5/attachment.html>
More information about the Oisf-users
mailing list