Are Suricata Alerts reproducible on a per pcap basis

joser12345678 · August 21, 2023, 1:51pm

Hello,

I am trying to test Suricata and have been getting a different number of alerts using the same pcap file even after restarting Suricata. I was wondering if this is expected behavior or not.

Andreas_Herz · August 21, 2023, 1:57pm

Hi,

what version of Suricata are you running? How does the config look like and how do you run it?
You could try runs with --runmode=single to ensure parallelization is not the issue

joser12345678 · August 21, 2023, 3:27pm

Right now I am running Suricata-7.0.0-rc1. I am running using the default configuration in the suricata.yaml file for af-packet and am using the following to invoke Suricata:

sudo suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet --runmode=single -vvvv

I added the runmode=single as you stated but it seems the number of alerts is still varying. I am replaying the PCAP given here:

Malware-Traffic-Analysis.net - 2022-01-07 - Traffic analysis exercise - Spoonwatch

To replay the packets I am sending traffic to Suricata via Pktgen on another machine.

joser12345678 · August 21, 2023, 3:29pm

Ah never mind. It appears replaying the traffic from another machine was the problem.

joser12345678 · August 31, 2023, 1:18pm

I have a follow up question and thought I should ask it in the same thread.

The same command is used as above, with a single worker, but the result when capturing on an interface have a high variance.

For example, I am replaying the same pcap file as shown above but the number of alerts are changing seemingly every time. The types of alerts are also varying a bit. When comparing the alerts from running Suricata in pcap mode to the alerts from running Suricata on an interface and capturing the replayed pcap; I am seeing different alerts or an absence of alerts that are supposed to be there.

I was wondering if this is expected behavior.

Andreas_Herz · August 31, 2023, 5:10pm

How do you run the replay from the pcap towards the interface?

joser12345678 · August 31, 2023, 6:27pm

I have one machine, running Pktgen, which is directly connected to the interface I am monitoring with suricata on another machine. I set the “count” or number of packets to replay on Pktgen to the number of packets in the pcap file.

joser12345678 · September 5, 2023, 4:02pm

Curiously enough, using TCPReplay produces the expected behavior. I think Pktgen is reordering the pcap or replaying it incorrectly

Topic		Replies	Views
Which packets triggering the alerts that fired by a bunch of pcaps Help	1	169	July 13, 2023
Weird result when comparing Suricata detections with snort (using same traffic) - what am I missing? Help	4	789	December 13, 2021
Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)	4	408	April 23, 2023
Suricata 5 not generates alerts after a week running Help	6	1993	May 31, 2020
What does "Alerts" mean in the output of suricata?	12	431	September 19, 2023

Are Suricata Alerts reproducible on a per pcap basis

Related Topics