<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thank you Peter Manev.<br>
<br>
1) Yes, it's correct. It's a pcap file captured at this time.<br>
2) Sorry, I can't. But I received authorization to post the
alert-debug, if it help.<br>
<br>
Thanks again.<br>
<br>
José Paulo<br>
<br>
<br>
Le 27/03/2013 09:34, Peter Manev a écrit :<br>
</div>
<blockquote
cite="mid:CAMhe82JLPYkBbxCS-rSjptV92i247DaU3UYJ=D=Ju4uDHq9+rA@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Wed, Mar 27, 2013 at 1:03 PM, Jose
Paulo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:paulo@sistemasolar.com.br" target="_blank">paulo@sistemasolar.com.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello all.<br>
<br>
I'm studying Suricata and I got this result:<br>
<br>
11/16/2011-15:00:00.198278 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
<br>
against this rules set:<br>
<br>
alert tcp any any <> any 23 (msg:"HEX no offset ";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; sid:9000001;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 514";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:514; sid:9000002;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 516";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:516; sid:9000003;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 510";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:510; sid:9000004;)<br>
alert tcp any any <> any 23 (msg:"HEX offset 503";
content: "|F8 F8 F8<br>
F8 40 C3 81 89 A7 81|"; offset:503; sid:9000005;)<br>
<br>
My doubts are:<br>
<br>
1) Why I'm getting alerts for sid's 9000004,5 for the same
packet if the<br>
offset is shifted?<br>
<br>
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
<br>
2) Why I'm not getting alerts for sid 9000001 if I got for the
others?<br>
<br>
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
<br>
The expected result is only this:<br>
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset
[**]<br>
[Classification: (null)] [Priority: 3] {TCP} <a
moz-do-not-send="true" href="http://10.31.15.32:23"
target="_blank">10.31.15.32:23</a> -><br>
<a moz-do-not-send="true" href="http://10.85.185.2:43569"
target="_blank">10.85.185.2:43569</a><br>
<br>
I don't understand why the others occurs.<br>
Any enlightenment will be welcome.<br>
<br>
Best regards!<br>
<br>
José Paulo<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a moz-do-not-send="true"
href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a moz-do-not-send="true"
href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a>
| Support: <a moz-do-not-send="true"
href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a moz-do-not-send="true"
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a moz-do-not-send="true"
href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote>
</div>
<br>
<br>
Hi,<br>
A couple of questions:<br>
1) 11/16/2011- is that really the time in the current packets?<br>
2) Can you share a pcap , if that is ok?<br>
<br>
Thank you<br>
<br>
<br clear="all">
<br>
-- <br>
<div>
Regards,</div>
<div>Peter Manev</div>
</blockquote>
<br>
</body>
</html>