
<div dir="ltr">My SOSERVER was doing a (legit) NTP lookup via that IP....<div><br></div><div>Is it possible that<span style="font-family:arial,sans-serif;font-size:13px"> this bug is the cause of the issue?  </span><a href="https://redmine.openinfosecfoundation.org/issues/613" target="_blank" style="font-family:arial,sans-serif;font-size:13px">https://redmine.openinfosecfoundation.org/issues/613</a><br>

<div><br></div><div style>-Josh</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 8:52 AM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com" target="_blank">jonkman@jonkmans.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I don't have any ideas on why the suppress isn't working, hopefully someone else may have an idea there.<div>

<br></div><div>I'm chasing down that false positive though. Looks like that IP is an irc server as well which is probably where it got listed in the shadowserver feed. Will ping them to see if they're ok removing it.</div>


<div><br></div><div>Matt</div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Sun, Jan 6, 2013 at 3:05 PM, Josh Brower <span dir="ltr"><<a href="mailto:joshbrower@gmail.com" target="_blank">joshbrower@gmail.com</a>></span> wrote:<br>


</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">I am using Suricata with the latest version of Security Onion (12.04), which uses Suricata 1.3.3.  I have threshold.conf with 18 entries.  I have verified that Suricata loaded those 18 rules on startup ("Threshold config parsed: 18 rule(s) found")<p>


</p><div>But I still get alerts firing for these entries... For example, in my threshold.conf:</div><div><br></div><div><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


#Suppress - ET CNC Shadowserver Reported CnC Server IP (group 38) <span style="color:rgb(85,85,85)"> for  SOSERVER- False Positive -<span style="color:rgb(71,71,71)"> 12/12</span></span></p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


<span style="color:rgb(71,71,71)"> </span>suppress gen_id 1, sig_id <span style="color:rgb(71,71,71)">2404037</span>, track by_dst, ip 72.8.140.222</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


I restart Suricata, and I still get this alert firing for the dst IP of 72.8.140.222.</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


What should I tshoot next?</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">Thanks</p><span><font color="#888888"><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


-Josh</p></font></span></div></div>

<br></div></div><div class="im">_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></div></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>

<br><br>----------------------------------------------------<br>

Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone <a href="tel:866-504-2523%20x110" value="+18665042523" target="_blank">866-504-2523 x110</a><br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>

<a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>

----------------------------------------------------

</font></span></div>

</blockquote></div><br></div>