A question regarding packets de-duplication

  • Suricata 7.0.2
  • Operating system debian
  • installed Suricata from source

We use tcpreplay to replay the same pcap packet to Suricata multiple times at a speed of 5MB/s, and we’ve found that when continuously replaying the same packets, Suricata does not output all alerts. For example, if A.pcap is played only once, it will generate 10 alerts, but if replayed 3 times with 5MB/s, it might only result in 15 ~ 16 alerts.
My question is, does Suricata have a mechanism that, when faced with the above situation, uses the 5-tuples to determine they belong to the same packet and then bypasses/de-duplicate them?

This highly depends on the type of traffic and how it’s replayed. Since it’s always the same traffic there can be some overlap. Can you provide the pcaps, the runcommand for tcpreplay as well as suricata, the suricata.yaml and also the stats.log and signatures?

Also check the flow event types if they correlate to what you would expect.