<br><br><div class="gmail_quote">On Wed, Mar 27, 2013 at 3:30 PM, Jose Paulo <span dir="ltr"><<a href="mailto:paulo@sistemasolar.com.br" target="_blank">paulo@sistemasolar.com.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thank you Peter Manev.<br>
<br>
1) Yes, it's correct. It's a pcap file captured at this time.<br></div></div></blockquote><div>:) , understood.<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
2) Sorry, I can't. But I received authorization to post the
alert-debug, if it help.<br></div></div></blockquote><div>it will be a bit tough pinpointing/troubleshooting "blindly" why do you have a problem.<br>You could share the alert-debug and/or the pcap privatelly if you would like.<br>
Also:<br>3) Which Suricata version are you running / the output of :<br>suricata --build-info<br>4) how do you start/run suricata?<br><br>would be helpful as well<br>Thanks<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
<br>
Thanks again.<br>
<br>
José Paulo<br>
<br>
<br>
Le 27/03/2013 09:34, Peter Manev a écrit :<br>
</div><div><div class="h5">
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Wed, Mar 27, 2013 at 1:03 PM, Jose
Paulo <span dir="ltr"><<a href="mailto:paulo@sistemasolar.com.br" target="_blank">paulo@sistemasolar.com.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello all.<br>
<br>
I'm studying Suricata and I got this result:<br>
<br>
11/16/2011-15:00:00.198278 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
<br>
against this rules set:<br>
<br>
alert tcp any any <> any 23 (msg:"HEX no offset ";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; sid:9000001;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 514";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:514; sid:9000002;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 516";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:516; sid:9000003;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 510";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:510; sid:9000004;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 503";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:503; sid:9000005;)<br>
<br>
My doubts are:<br>
<br>
1) Why I'm getting alerts for sid's 9000004,5 for the same
packet if the<br>
offset is shifted?<br>
<br>
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
<br>
2) Why I'm not getting alerts for sid 9000001 if I got for the
others?<br>
<br>
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
<br>
The expected result is only this:<br>
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a href="http://10.31.15.32:23" target="_blank">10.31.15.32:23</a> -><br>
<a href="http://10.85.185.2:43569" target="_blank">10.85.185.2:43569</a><br>
<br>
I don't understand why the others occurs.<br>
Any enlightenment will be welcome.<br>
<br>
Best regards!<br>
<br>
José Paulo<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a>
| Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote>
</div>
<br>
<br>
Hi,<br>
A couple of questions:<br>
1) 11/16/2011- is that really the time in the current packets?<br>
2) Can you share a pcap , if that is ok?<br>
<br>
Thank you<br>
<br>
<br clear="all">
<br>
-- <br>
<div>
Regards,</div>
<div>Peter Manev</div>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div>