[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] threshold will not work on suricata v1.4.1
From: Stefan Sabolowitsch <Stefan.Sabolowitsch () felten-group ! com>
Date: 2013-03-22 14:09:22
Message-ID: E7F178B652D7E546A7B0B46511A3A5B91988454B () SFG21 ! feltengroup ! local
[Download RAW message or body]
Victor / Peter,
thanks for the good explanation / help and of course also for suricata :)
btw, in need no really to change gen_id=85., (Only the context was missing =
me -> is a rule option) =
Cheers,
Stefan
Am 22.03.2013 um 14:57 schrieb Victor Julien <lists@inliniac.net>
:
> On 03/22/2013 02:51 PM, Stefan Sabolowitsch wrote:
>> Ahh OK Victor ,but but where i can change this value (suricata.yaml)?
>> I found only information (fast look) about "generation id" in alert-unif=
ied2-alert.c
>> And a brief information in the logfile would be helpful
> =
> Gen id is a rule option. As the rules you are trying to suppress have
> gen id 1, you just need to change the suppression rules to reflect that. =
So:
> =
> suppress gen_id 1, sig_id 2002068, track by_src, ip 192.168.1.37
> suppress gen_id 1, sig_id 2002068, track by_dst, ip 192.168.1.37
> =
> If you really think you need to change the rule's gen_id/gid (which I
> really doubt), then have a look at:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-set=
tings#Gid-group-id
> =
> Cheers,
> Victor
> =
>> =
>> Am 22.03.2013 um 14:36 schrieb Victor Julien <lists@inliniac.net>
>> :
>> =
>>> On 03/22/2013 02:03 PM, Stefan Sabolowitsch wrote:
>>>> Hi all,
>>>> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kerne=
l.
>>>> =
>>>> this rules
>>>> =
>>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>>> =
>>>> or this will not work
>>>> =
>>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
>>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>>>> =
>>>> i get always this alarm on suri (no errors seen in sure log file)
>>>> =
>>>> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify=
Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempt=
ed Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1=
.37:59918
>>> =
>>> The alert shows generator id 1 (which is the default in suricata), yet
>>> the threshold rules try to suppress gen_id 139. Please try setting
>>> gen_id in the suppress rules to 1.
>>> =
>>> -- =
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>> =
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor=
t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-use=
rs
>>> OISF: http://www.openinfosecfoundation.org/
>>> =
>> =
>> =
> =
> =
> -- =
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> =
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> =
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic