[Oisf-devel] two alerts for one content, why?
rmkml
rmkml at yahoo.fr
Tue Jun 26 23:51:22 UTC 2012
Hi,
ok Im joigned a pcap file contains a ssh server Dropbear, but Im curious why Suricata fire two times ?
# with this sig, suricata fire two times:
alert tcp any 22 -> any any (msg:"dropbear detect 2"; flow:to_client,established; content:"SSH-"; depth:4; offset:0;
content:"dropbear_"; nocase; within:40; distance:0; classtype:attempted-admin; sid:990995; rev:1; )
# with this sig, suricata fire one time:
alert tcp any 22 -> any any (msg:"dropbear detect 1"; flow:to_client,established; content:"dropbear_"; nocase;
classtype:attempted-admin; sid:990994; rev:1; )
Anyone replay this test please?
If yes Im open a new redmine ticket.
Of course, snort fire one time per sig.
Tested suricata git at 24 jun.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropbear.pcap
Type: application/octet-stream
Size: 555 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120627/cb361911/attachment.obj>
More information about the Oisf-devel
mailing list