suricata stats on "Packet Capture Statistics" not reflecting search time frame #442
Assignees
Labels
bug
Something isn't working
dashboards
Relating to Malcolm's OpenSearch Dashboards interface
suricata
Relating to Malcolm's use of Suricata
zeek
Relating to Malcolm's use of Zeek
Milestone
Comments
mmguero
added
bug
This was referenced Mar 27, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
there was an issue I found in the Packet Capture Statistics dashboard dealing with the following visualizations:
The issue is that while the Zeek stats report a measurement per interval, the Suricata stats report a monotonically increasing number. In other words, if my search time frame is 15 minutes, with the Zeek logs I'll get the total just within those 15 minutes, but with the Suricata logs I'd get a series of increasing numbers between the start and end of that time frame.
This would cause it to look something like this:
which would lead to the erroneous conclusion that suricata is seeing more than Zeek, when in reality it's not.
I've fixed (see mmguero-dev/Malcolm@4244740) the dashboard to take the max from the time period, subtract the min from the time period, and display that. The numbers should be more accurate now.
Note that the zeek and suricata numbers may never be exactly the same, as there are things dealing with buffers and caches, but I imagine they'll be close.
The text was updated successfully, but these errors were encountered: