[Oisf-users] Inquiry regarding Suricata detections.
Andreas Herz
aherz at oisf.net
Fri Apr 17 20:42:38 UTC 2020
On 13/04/20 at 18:58, 이재규 wrote:
> First, If the same rule and the same packet are tested many times, the
> timestamp of the detected packet will be detected differently.
> Information other than the time stamp and flow_id match. I want to
> know why the timestamp value was detected differently each time.
Can you give us more details, I can't reproduce that with your files.
> Second, When extracting files from ftp pcap, detection may not be
> possible. Detects about once in a maximum of 10 inspection
> operations. For testing, i used the same rules and the same pcap.
> (Pcap size is 94k and small size.) If detected and not, I want to know
> why it is displayed in the same pcap.
I did several runs, I always get the rule trigger and the file from
filestore.
How do you run suricata exactly? (whole command line)
What OS do you use?
--
Andreas Herz
More information about the Oisf-users
mailing list