[Oisf-users] Suricata only alerts for the first few rules of rule file
Lucas Augusto Mota de Alcantara
lama2 at cin.ufpe.br
Thu Jan 9 07:33:15 UTC 2020
Hello everyone,
I'm testing some rules and I want to count how many times each rule matches
for a certain pcap file, but I noticed that suricata is alerting for only
the first few rules of the rule file.
For example, in the attached files I have a .rules file with thousands of
rules and a .pcap file with 4 packets. Most rules in that file should alert
all 4 times, and some should still alert at least 1 time.
The problem is that when I check the fast.log for the alerts, only 60
alerts are being logged (the first 15 rules that alert once for each
packet). Is there a reason why suricata is only logging those first few
alerts? And is there a way to make sure suricata alerts every time it
should alert?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200109/692e3b72/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testing.pcap
Type: application/vnd.tcpdump.pcap
Size: 1005 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200109/692e3b72/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testing.rules
Type: application/octet-stream
Size: 2212244 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200109/692e3b72/attachment-0001.obj>
More information about the Oisf-users
mailing list