Replay of a pcap resulting in 15 alerts for ids mode and only 14 alerts for inline mode

ids (87.9 KB)
inline (49.6 KB)
output_native6_tcp49172.pcap (46.4 KB)
sp.rules (685 Bytes)

Hello everyone,

i am replaying a pcap to suricata 6.0.10 running natively on ubuntu. The pcap contains 15 POST requests that are supposed to match signature sid:2022679 present in the sp.rules file attached.

case1: ids mode
in this case the alerts are generated for all 15 transactions starting from tx_id":0 to tx_id":14, giving 15 alerts

case2: inline mode
here the alerts are generated only starting from tx_id":1 to tx_id":14 , resulting in only 14 alerts.

Qn: “What could be the reason for a one less match in the case of inline mode” or why is tx_id":0 not generating an alert only in the case of inline mode.

Note: ‘eve.json, stats.log, suricata.log, suricata.yaml’ → zipped for both cases and the pcap have been attached.

please let me know any additional information required


can you also paste the run commands that you are using for both cases?

Also 6.0.10 is rather old, please do a run with 6.0.19 and/or 7.0.5

hi andreaa herz, thanks for the reply.

for both cases i use below command to start suricata on the ubuntu
suricata -c /etc/suricata/suricata.yaml --af-packet -D&

and below command for replaying packets for both cases.
tcpreplay --loop=1 --intf1=ens192 -p 100 output.pcap

hope i answered with the right information you asked for

i will try to setup suricata 6.0.19 or 7.0.5 asap and repeat the test.

thank you

hi andreas herz,

i installed suricata 6.0.19 and tried inline mode, here as well i got only 14 alerts for inline mode or no alerts got generated for tx_id":0

i kept the suricata.yaml config same as 6.0.10 , attached below the stats.log. eve.json, suricata.log, suricata.yaml
inline (52.9 KB)

25/4/2024 – 21:31:19 - - This is Suricata version 6.0.19 RELEASE running in SYSTEM mode

installed suricata 6.0.19 on another ubuntu for ids mode and

here it gives 15 alerts , attached below the stats.log. eve.json, suricata.log, suricata.yaml (87.0 KB)

looks like moving from 6.0.19 couldnt make a difference!


The configs vary quite a lot at parts that are not related to inline vs ids mode, I would first adjust the configs to be mostly the same except for the relevant af-packet section.

For example vlan.use-for-tracking is different in both.

In addition to that you could run ids on the other interface ens256 as well.

1 Like

hi andreas

tuned yaml results for (29.6 KB)
tuned yaml results for (29.6 KB)

i made the yaml configs equal except the af-packet portion

i have added both interfaces ens192 and ens 224 (this is a different ubuntu host with different interfaces than the inline scenario which runs on a host with interfaces ens192 and ens256)

also could you tell why add both interfaces in the case of ids? as all the traffic is passing ens192 isnt that interface alone enough under af-packet ??

ids topology:

inline topology:

results: are same as before, still getting only 14 alerts for inline mode or no alerts corresponding to tx_id":0

thank you

something i notice is that in the below section if i set inline: no instead of inline: auto, then inline mode is giving equal number of matches as that of ids mode that is 15 alerts.
stream setting inline (43.5 KB)

cant inline: be set to auto ?

memcap: 64mb
#memcap-policy: ignore
checksum-validation: no # reject incorrect csums
#midstream: false
#midstream-policy: ignore
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
memcap: 256mb
#memcap-policy: ignore
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes