Support #3420
closed
suricatca filestore v1 and v2 loss files after a period of time
Added by KingJJ wang over 4 years ago.
Updated over 3 years ago.
Description
hello ,I have a problem:
i find suricata file-store work well at first few minutes . it can find and store 100% files.
But after a few minutes,it will only find and store 1% or less files.
My version Suricata version
i test Suricata version:5.0.0 4.0.4
i test linux os in CentOS release 6.10 and CentOS Linux release 7.7.1908
Files
and . i find alert log will loss like file store .
i write only a rule: alert http {myip} any -> {ipA} any (...)
then i curl {IPA} 10000 times.
at first , alert count in fast.log is right.
But after a few minutes, the same sig'alert in fast.log don't quantitative growth anymore.
This moment,i curl {IPA} 1000 times, alert only grow up 200 times in fast.log .
- Tracker changed from Bug to Support
Can you share your stats.log? It may hold clues about why this happens.
Victor Julien wrote:
Can you share your stats.log? It may hold clues about why this happens.
ok,thank you.
here is stats.log files
when start suricat,it store 100% files,but after a few times ,it can not store files. i down load more than 500 times, suricat only alert and store 2 files.
hello,support .
what can i do next ?
tahnk you.
i always meet the problem too,but my problem are more securius. because sometimes i will not get the alerts, because of the packets rebuild error in the env of 700mbps.
How can i make my ether optimize to get more alerts for filestore;
you could try to see if you can reproduce it with a specific traffic that you record as pcap and do a -r run with suricata, that might help to narrow it down or give an indication if it's related to the way you run suricata.
There are also quite high numbers of file insert fails in the stats.
- Status changed from New to Closed
Also available in: Atom
PDF