I’m running suricata in IDS mode, and I’m using the following settings:
- inline: no, bypass: no, depth: 5k
Assuming that long request packets are sent and simply, each packet is 1500 bytes , packets from 1 to 4500 bytes (3 packets) are reassembled and detected, but packets of 4501~6000 byte are discarded by the depth setting, so detection is not possible. After that, 6001~end byte are normally detected.
When testing using ips mode in af-packet, all are detected because of the sliding windows method. But I couldn’t use IPS mode because I have to use all of napatech card ports as RX.
When using ids mode, I wonder if a packet reaches the depth are excluded from investigation, and whether ips mode can be used with all ports of napatech card used for RX.