Project

General

Profile

Actions
Copy link

Bug #1772

open

Inconsistent number of alerts while reading a pcap - runmode single/autofp,unix-socket

Added by Peter Manev almost 10 years ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the pcap and the rules file attached with Suricata - 3.1dev (rev 7f700a1) - there is inconsistent number of alerts generated (reproducible across runs ) as follows:

suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=single

Produces 15 alerts (as it should) 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=autofp

Produces 17 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

Produces 17 alerts, after a few runs it can get 18 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

with "max-pending-packets: 4096" setting in suricata.yaml produces 20 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

with "max-pending-packets: 20000" setting in suricata.yaml produces 21 alerts.

Files

threshold-run.tar.gz (2.57 MB) threshold-run.tar.gz Peter Manev, 04/27/2016 05:54 PM
Actions
Copy link
 #1

Updated by Andreas Herz almost 10 years ago

Is this something you see with old versions as well?
I just guess it's a timing issue for the counter (60seconds 1 hit) that could happen everytime.

Actions
Copy link
 #2

Updated by Peter Manev almost 10 years ago

Old versions have it as well but it should be the same number across all runs.

Actions
Copy link
 #3

Updated by Andreas Herz over 9 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #4

Updated by Andreas Herz over 6 years ago

I can still reproduce it with current master (5.0.0-dev (rev a5f1f19b2)), it produces 15 alerts in runmode single, but 9 alerts for autofp

Actions
Copy link
 #5

Updated by Victor Julien over 6 years ago

Ultimately time is a funny thing when reading pcaps. We try hard to have a realistic internal concept of time, but it will never be perfect. Thresholding rules show this.

Actions
Copy link
 #6

Updated by Philippe Antoine 6 months ago

  • Status changed from New to Feedback

So, can we do better ? Or just document ?

Actions
Copy link

Also available in: Atom PDF