A question regarding packets de-duplication

xifeng · March 7, 2024, 7:41am

Suricata 7.0.2

Operating system debian

installed Suricata from source

We use tcpreplay to replay the same pcap packet to Suricata multiple times at a speed of 5MB/s, and we’ve found that when continuously replaying the same packets, Suricata does not output all alerts. For example, if A.pcap is played only once, it will generate 10 alerts, but if replayed 3 times with 5MB/s, it might only result in 15 ~ 16 alerts.
My question is, does Suricata have a mechanism that, when faced with the above situation, uses the 5-tuples to determine they belong to the same packet and then bypasses/de-duplicate them?

Andreas_Herz · April 25, 2024, 8:03pm

This highly depends on the type of traffic and how it’s replayed. Since it’s always the same traffic there can be some overlap. Can you provide the pcaps, the runcommand for tcpreplay as well as suricata, the suricata.yaml and also the stats.log and signatures?

Also check the flow event types if they correlate to what you would expect.

Topic		Replies	Views
Packets dropping or not Help	1	379	September 9, 2021
Application detection and duplicate TCP/SYN Help	6	1243	September 1, 2022
Suricata reacts only to the first run of the same dump Help rules , suricata	8	409	February 2, 2024
Are Suricata Alerts reproducible on a per pcap basis Help	7	340	September 5, 2023
Pcap_cnt and fragmented packets Help	1	265	December 12, 2023

A question regarding packets de-duplication

Related Topics