Project

General

Profile

Actions

Bug #1772

open

Inconsistent number of alerts while reading a pcap - runmode single/autofp,unix-socket

Added by Peter Manev over 8 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the pcap and the rules file attached with Suricata - 3.1dev (rev 7f700a1) - there is inconsistent number of alerts generated (reproducible across runs ) as follows:

suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=single

Produces 15 alerts (as it should)
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -r Scan.pcap -v -l log/ --runmode=autofp

Produces 17 alerts
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/" 

Produces 17 alerts, after a few runs it can get 18 alerts
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/" 

with "max-pending-packets: 4096" setting in suricata.yaml produces 20 alerts
suricata -c /etc/suricata/suricata.yaml -S threshold.rules -v --unix-socket=/var/run/suricata666.socket
/usr/bin/suricatasc /var/run/suricata666.socket -c "pcap-file Scan.pcap log/" 

with "max-pending-packets: 20000" setting in suricata.yaml produces 21 alerts.

Files

threshold-run.tar.gz (2.57 MB) threshold-run.tar.gz Peter Manev, 04/27/2016 05:54 PM
Actions #1

Updated by Andreas Herz over 8 years ago

Is this something you see with old versions as well?
I just guess it's a timing issue for the counter (60seconds 1 hit) that could happen everytime.

Actions #2

Updated by Peter Manev over 8 years ago

Old versions have it as well but it should be the same number across all runs.

Actions #3

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #4

Updated by Andreas Herz over 5 years ago

I can still reproduce it with current master (5.0.0-dev (rev a5f1f19b2)), it produces 15 alerts in runmode single, but 9 alerts for autofp

Actions #5

Updated by Victor Julien over 5 years ago

Ultimately time is a funny thing when reading pcaps. We try hard to have a realistic internal concept of time, but it will never be perfect. Thresholding rules show this.

Actions

Also available in: Atom PDF