<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.western, li.western, div.western
{mso-style-name:western;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yeah, it would be a common occurrence to have more than one flowbit-related signature return. I’m currently scripting it myself. Though from an Analyst perspective
I disagree that an ideal situation would return all associated flowbits. That could certainly get messy; and border on debugging the matching functionality.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> erik clark [mailto:philosnef@gmail.com]
<br>
<b>Sent:</b> Tuesday, November 22, 2016 6:56 AM<br>
<b>To:</b> Adam Witt<br>
<b>Cc:</b> Jason Ish; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] eve.json logging issues<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Flowbits could be messy. You might have more than one flowbit, and in any case, you would ideally like to wrap all the sigs that were associated with a flowbit flow into the alert. That could get very ugly.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think just getting the sig into the alerts would be great as a start. :)<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Nov 21, 2016 at 8:01 PM, Adam Witt <<a href="mailto:AWitt@westernalliancebank.com" target="_blank">AWitt@westernalliancebank.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Shortly after sending this, I realized that I asked for two different things. I wouldn't want to log signatures for all set flowbits in a given flow - just signatures which set flowbits that the alerting rule relied on to fire.<br>
<br>
--<br>
Adam<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
-----Original Message-----<br>
From: Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of Adam Witt<br>
Sent: Monday, November 21, 2016 5:08 PM<br>
To: Jason Ish; erik clark<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] eve.json logging issues<br>
<br>
+1, adding signature logic to alert output would be a nice convenience.<br>
<br>
In that same context, would it be interesting to look at optionally appending signature logic related to flowbits as well? Specifically the signatures which 'set' flowbits required for an alert to fire. My initial thinking is the alert log could include both
the alert signature, and the logic for flowbit-related signatures which remained set in the 'flowvars' structure at the time an alert signature matched. I may be considering the wrong aspects of Suricata for the development piece - but this might help provide
a well-rounded representation of the decision-making involved in a given alert firing.<br>
<br>
--<br>
Adam<br>
<br>
<br>
-----Original Message-----<br>
From: Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of Jason Ish<br>
Sent: Thursday, November 17, 2016 11:45 AM<br>
To: erik clark<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] eve.json logging issues<br>
<br>
On Thu, Nov 17, 2016 at 12:30 PM, erik clark <<a href="mailto:philosnef@gmail.com">philosnef@gmail.com</a>> wrote:<br>
> Thanks! That worked.<br>
><br>
> Is there a way to get the actual content of the signature into the<br>
> alert? So not just the payload, subject, flowdata and so forth, but<br>
> the actual signature itself, so someone can look at it in the alert to<br>
> see why it may have fired erroneously...<br>
<br>
No, not currently. But you aren't the first one to ask so perhaps its something we should think about doing.<br>
<br>
Jason<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" target="_blank">
http://suricon.net</a><br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete
this email (and any attachments) from your system.<br>
Need to send me a file too big for email? You can upload it at <a href="http://westernalliancebancorp.sharefile.com" target="_blank">
westernalliancebancorp.sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" target="_blank">westernalliancebancorp.sharefile.com/</a>><br>
________________________________<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete
this email (and any attachments) from your system.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" target="_blank">
http://suricon.net</a> Need to send me a file too big for email? You can upload it at
<a href="http://westernalliancebancorp.sharefile.com" target="_blank">westernalliancebancorp.sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" target="_blank">westernalliancebancorp.sharefile.com/</a>><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">________________________________<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete
this email (and any attachments) from your system.<br>
<br>
Need to send me a file too big for email? You can upload it at <a href="http://westernalliancebancorp.sharefile.com" target="_blank">
westernalliancebancorp.sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" target="_blank">westernalliancebancorp.sharefile.com/</a>><br>
________________________________<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete
this email (and any attachments) from your system.<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p style="mso-margin-top-alt:13.7pt;margin-right:0in;margin-bottom:13.7pt;margin-left:0in">
<a name="_GoBack"></a><i>Need to send me a file too big for email? You can upload it at
</i><a href="westernalliancebancorp.sharefile.com/"><b><i>westernalliancebancorp.sharefile.com</i></b></a><i>
</i><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="western" style="margin-bottom:0in;margin-bottom:.0001pt"><span style="font-size:7.0pt;font-family:"Arial","sans-serif";color:gray">CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed;
it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.</span><o:p></o:p></p>
<p class="western" style="margin-bottom:0in;margin-bottom:.0001pt"><o:p> </o:p></p>
</div>
<p style="margin-top: 0.19in; margin-bottom: 0.19in"><a name="_GoBack"></a><font face="Times New Roman, serif"><font size="3"><i>Need to send me a file too big for email? You can upload it at
</i><a href="westernalliancebancorp.sharefile.com/"><i><b>westernalliancebancorp.sharefile.com</b></i></a><i>
</i></font></font></p>
<hr>
<p></p>
<p class="western" align="CENTER" style="margin-bottom: 0in"></p>
<p class="western" style="margin-bottom: 0in"><font color="#808080"><font face="Arial, serif"><font size="1" style="font-size: 7pt">CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also
be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.</font></font></font></p>
<p class="western" style="margin-bottom: 0in"><br>
</p>
</body>
</html>