[Oisf-users] Suricata only alerts for the first few rules of rule file
David Wharton
oisf at davidwharton.us
Thu Jan 9 06:03:36 UTC 2020
Looks like there is a limit of 15 alerts per packet. From
https://github.com/OISF/suricata/blob/700eebaeccb94bdd0ad6a22466c0026afed6c4df/src/decode.h#L291
:
#define PACKET_ALERT_MAX 15
You could try increasing this and recompiling.
-David
On 1/9/20 2:33 AM, Lucas Augusto Mota de Alcantara wrote:
> Hello everyone,
>
> I'm testing some rules and I want to count how many times each rule
> matches for a certain pcap file, but I noticed that suricata is
> alerting for only the first few rules of the rule file.
>
> For example, in the attached files I have a .rules file with thousands
> of rules and a .pcap file with 4 packets. Most rules in that file
> should alert all 4 times, and some should still alert at least 1 time.
>
> The problem is that when I check the fast.log for the alerts, only 60
> alerts are being logged (the first 15 rules that alert once for each
> packet). Is there a reason why suricata is only logging those first
> few alerts? And is there a way to make sure suricata alerts every time
> it should alert?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200109/d1bc3b91/attachment.html>
More information about the Oisf-users
mailing list