Hi All,

I am new to Suricata. I am testing Suricata 6.0.1 on Windows 10 with Snort community signatures for the comparison. I attack with Hping3 to Snort and Suricata in detect mode on similar PCs.
ie. I send 1000 Syn Packets to both hence Snort capture 1000 Syn packets and alerts 1000 and Suricata captures 1000 Syn packets but alerts 6 as seen below. Could you please help to understand the logs properly and if needs any improvement for the configuration.

Thanks.

Counter | TM Name | Value

capture.kernel_packets | Total | 1004
decoder.pkts | Total | 1005
decoder.bytes | Total | 174378
decoder.ipv4 | Total | 1003
decoder.ethernet | Total | 1005
decoder.tcp | Total | 1000
decoder.udp | Total | 3
decoder.avg_pkt_size | Total | 173
decoder.max_pkt_size | Total | 174
flow.tcp | Total | 1000
flow.udp | Total | 1
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 12
tcp.syn | Total | 1000
detect.alert | Total | 6
app_layer.flow.failed_udp | Total | 1
flow.mgr.full_hash_pass | Total | 1
flow.spare | Total | 10100
flow.mgr.rows_maxlen | Total | 1
flow.mgr.flows_checked | Total | 119
flow.mgr.flows_notimeout | Total | 119
tcp.memuse | Total | 2293760
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 7177504

Can you post the rule that you’re expecting to match?

Actually I am not pretty sure which rule but snort can identify it.
maybe these two;
alert ( msg: “STREAM5_SYN_ON_EST”; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
alert ( msg: “STREAM5_DATA_ON_SYN”; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; reference: cve,2009-1157; reference: bugtraq, 34429; classtype:protocol-command-decode; )

my snort logs and attack command;

sudo hping3 192.168.x.x -q -n -d 120 -S --faster --rand-source -w 64 -p xxx -c 100

Snort ran for 0 days 0 hours 0 minutes 17 seconds
Pkts/sec: 6

Packet I/O Totals:
Received: 109
Analyzed: 109 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0

Breakdown by protocol (includes rebuilt packets):
Eth: 109 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 100 ( 91.743%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 100 ( 91.743%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 9 ( 8.257%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 109

Action Stats:
Alerts: 100 ( 91.743%)
Logged: 100 ( 91.743%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 109 (100.000%)

@vjulien or anyone has an idea?

I write a new rule;
alert tcp any any → $HOME_NET any (msg:“SYN Flood”; flags:S; flow: stateless; detection_filter: track by_dst, count 1000, seconds 1; GID:1; sid:10000002; rev:001; classtype:attempted-dos;)

But this time detect.alert is disappeared from stats.log.

What do you want to know about the stats.log exactly?
There are different log files, for example fast.log and eve.json where you would also see the alerts that trigger.

Stats.log is enough for now but if you suggest any simple use app. much appreciate for the alerts on windows.

I need to understand why the alert is 6.
What should I do.

I would start with the eve.json alert output and/or fast.log to see what packets have hit which rule. You should have those 6 alerts in there and could use that to find the reason for the 6 hits.