Project

General

Profile

Actions
Copy link

Bug #1772

open

Inconsistent number of alerts while reading a pcap - runmode single/autofp,unix-socket

Added by Peter Manev over 8 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the pcap and the rules file attached with Suricata - 3.1dev (rev 7f700a1) - there is inconsistent number of alerts generated (reproducible across runs ) as follows:

suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=single

Produces 15 alerts (as it should) 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=autofp

Produces 17 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

Produces 17 alerts, after a few runs it can get 18 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

with "max-pending-packets: 4096" setting in suricata.yaml produces 20 alerts 
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/"

with "max-pending-packets: 20000" setting in suricata.yaml produces 21 alerts.

Files

threshold-run.tar.gz (2.57 MB) threshold-run.tar.gz Peter Manev, 04/27/2016 05:54 PM
Actions
Copy link

Also available in: Atom PDF