Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
there was an issue I found in the Packet Capture Statistics dashboard dealing with the following visualizations:
The issue is that while the Zeek stats report a measurement per interval, the Suricata stats report a monotonically increasing number. In other words, if my search time frame is 15 minutes, with the Zeek logs I'll get the total just within those 15 minutes, but with the Suricata logs I'd get a series of increasing numbers between the start and end of that time frame.
This would cause it to look something like this:
which would lead to the erroneous conclusion that suricata is seeing more than Zeek, when in reality it's not.
I've fixed (see mmguero-dev/Malcolm@4244740a88f7621bcadd4e6d351e047aead7e170) the dashboard to take the max from the time period, subtract the min from the time period, and display that. The numbers should be more accurate now.
Note that the zeek and suricata numbers may never be exactly the same, as there are things dealing with buffers and caches, but I imagine they'll be close.
there was an issue I found in the Packet Capture Statistics dashboard dealing with the following visualizations:
The issue is that while the Zeek stats report a measurement per interval, the Suricata stats report a monotonically increasing number. In other words, if my search time frame is 15 minutes, with the Zeek logs I'll get the total just within those 15 minutes, but with the Suricata logs I'd get a series of increasing numbers between the start and end of that time frame.
This would cause it to look something like this:
which would lead to the erroneous conclusion that suricata is seeing more than Zeek, when in reality it's not.
I've fixed (see mmguero-dev/Malcolm@4244740a88f7621bcadd4e6d351e047aead7e170) the dashboard to take the max from the time period, subtract the min from the time period, and display that. The numbers should be more accurate now.
Note that the zeek and suricata numbers may never be exactly the same, as there are things dealing with buffers and caches, but I imagine they'll be close.