[Oisf-users] Inquiry regarding Suricata detections.

[이재규]

대용량 첨부 파일은 30일간 보관 / 100회까지 다운로드 가능




First_smtp_timestamp.tar.gz 41MB


  다운로드 기간: 2020/04/13 ~ 2020/05/13






Hi oisf-users team,
 
I am testing the file extraction function of Suricata version 5.0.2.
pcap was used in the ".lst" file format.
Also used the "--pcap-file-continuous" option.
 
I have 2 questions.
 
First,
If the same rule and the same packet are tested many times, the timestamp of the detected packet will be detected differently.
Information other than the time stamp and flow_id match.
I want to know why the timestamp value was detected differently each time.

Second,
When extracting files from ftp pcap, detection may not be possible.
Detects about once in a maximum of 10 inspection operations.
For testing, i used the same rules and the same pcap. (Pcap size is 94k and small size.)
If detected and not, I want to know why it is displayed in the same pcap.

Attached files such as pcap, rule, and .yaml used in the test to the email. 
Ftp also includes a fast.log file.
 
Can you help me with any related issues?
Thank you for your time.
We look forward to your reply.
 
JK Lee
leejaekyu0523 at naver.com
+82-10-9501-9597
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200413/d4b777fc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Second_ftp_detection.tar.gz
Type: application/x-gzip
Size: 99841 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200413/d4b777fc/attachment-0001.bin>