<div dir="ltr">Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?<div><br></div><div>Matt</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <span dir="ltr"><<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The only event I am getting is ET POLICY Unusual number of DNS No Such Name Responses.<u></u><u></u></span></p>
<div class="im"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:mjonkman@emergingthreatspro.com" target="_blank">mjonkman@emergingthreatspro.com</a> [mailto:<a href="mailto:mjonkman@emergingthreatspro.com" target="_blank">mjonkman@emergingthreatspro.com</a>] <b>On Behalf Of </b>Matt Jonkman<br>
<b>Sent:</b> Saturday, March 30, 2013 8:40 AM<br><b>To:</b> Leonard Jacobs<br><b>Cc:</b> <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>; Eric Leblond<br><b>Subject:</b> Re: [Oisf-users] Question<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Definitely should have. What rules are you running? Just the ET Open?<u></u><u></u></p><div><div class="h5"><div><p class="MsoNormal"><u></u> <u></u></p>
</div><div><p class="MsoNormal">Have your vars set right?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Are you seeing other events?<u></u><u></u></p></div><div><p class="MsoNormal">
<u></u> <u></u></p></div><div><p class="MsoNormal">Matt<u></u><u></u></p></div></div></div></div><div><div class="h5"><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>> wrote:<u></u><u></u></p>
<div><div><p class="MsoNormal">Why would Suricata events not be triggered when running a vulnerability scanner? I ran OpenVAS against a couple of public IP addresses on our network and not a single event was triggered. I would have thought that at least emerging-scan.rules would trigger.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Thanks.<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Leonard Jacobs</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">President/CEO</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Netsecuris Inc.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">9301 Bryant Avenue S</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Suite 104</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Minneapolis, MN 55420</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><a href="tel:%28952%29%20641-1421%20ext.%2020" target="_blank">(952) 641-1421 ext. 20</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><a href="http://www.netsecuris.com" target="_blank">http://www.netsecuris.com</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><img border="0" width="288" height="96" src="cid:image001.jpg@01CE2D2F.5B5987B0" alt="logo_tagline3x1"></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p></div></div><p class="MsoNormal"><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><u></u><u></u></p>
</div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <br><br><br>----------------------------------------------------<br>Matt Jonkman<br>
Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone <a href="tel:866-504-2523%20x110" value="+18665042523" target="_blank">866-504-2523 x110</a><br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
<a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>---------------------------------------------------- <u></u><u></u></p></div></div></div></div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><br><br>----------------------------------------------------<br>
Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone 866-504-2523 x110<br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------
</div>