[Oisf-users] about alerts and pcap-log
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jul 18 02:39:59 UTC 2019
The tcp alerts will only alert once per flow. So it will alert on the
first two packets of the three-way handshake, but not the third as the
flow has then been established and already alerted on.
Can't answer your second question.
Re: pcap-log, that is as expected as its the packets processed by
suricata. If you want the frames off the wire, use wireshark.
-Coop
On 7/17/2019 7:32 PM, fyshine at sina.cn wrote:
> I test some rules by the suricata, i find it's strange;
> My english is a little poor, please forgive me
>
> rule alert tcp any any -> any any ( msg:"test1", sid:100001; )
> should not alert every packet in this tcp flow, but the result is just
> two alerts one is syn , other is syn ack, i am not find the reson
>
> capture i use nfq to capture packet; suricata runmode inline
> nfqueue;
> the packets counts and bytes in the two place is very different, i
> understand tcp overlap, but why the bytes is different
>
> pcap-log i observe the flow use wireshark,there is no ethernet
> information ,just raw packet data, why is this
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190717/972c1ecc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190717/972c1ecc/attachment.sig>
More information about the Oisf-users
mailing list