https://datafeed.emergingthreatspro.com/qa_pcaps/
from the above site we have alerts(pcaps) downloaded into host1 from which we are sending(tcpreplay) the packets out to host2 where suricata is listening for packets on an interface say ids.Saw various alerts generated by suricata under the path /va/log/suricata/eve_**.json.
We tried sending alert pcaps continuously using a script for 2 days at a particular point of time we saw suricata is not detecting any alerts, but after restarting the daemon we were able to see the alerts generated.
What could have caused the issue here ?
is there any parameter in suricata.yaml that we can tune to overcome the issue ?
Kindly do help.
I cannot think of an immediate problem here but more info will be appreciated. Suricata is designed to work continuously and there should not be a single setting to “stop after 2 days/ 1000 flows etc.”
When it happens the next time try to gather more info. Some questions to answer:
Does it generate any other logs except alerts, e.g. flow records, protocol layer records etc.?
Are stats increasing?
Is there anything in visible in the suricata.log, e.g. Flow emergency?
Can you verify that Suricata is still running - generate coredump if it crashes - that can be very helpful
Can you identify the last pcap it processed and can you reproduce the issue?
Is the TX script working fine? Can you see the traffic with other tools, e.g. tcpdump?
Btw, if you are analyzing only PCAPs wouldn’t it be better to use PCAP reading mode and the --pcap-file-continuous option?