[Oisf-devel] SNORT alert on Suricata with Napatech
Dezs
dezso.soos at gmail.com
Tue Oct 8 06:33:00 UTC 2019
Dear Members,
I need some help with the problem below.
The SNORT rule does not generate alarms in all cases.
The Napatech card uses all the 20 streams according to the Suricata.yaml
configuration file (attached).
It alerts only in case of HTTP 80 and only 5 times of 100 dowloaded eicar
test file..
Suricata 3.2.1; Debian.
The RULE:
alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download
attempt"; flow:to_client,established; file_data;
content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
security-ips drop; reference:url,www.eicar.org/86-0-Intended-use.html;
classtype:misc-activity; sid:37732; rev:3;)
Any ideas are appreciated.
Best Regards,
Dezső Soós
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20191008/33c959c7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Suricata.yaml
Type: application/octet-stream
Size: 70753 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20191008/33c959c7/attachment-0001.obj>
More information about the Oisf-devel
mailing list