[Oisf-users] Should this be firing?

rmkml rmkml at yahoo.fr
Wed Jul 13 15:53:27 UTC 2011


Hi Paul and Will,
Thx for previous comments,
Warning: this sig contains flowbits:noalert... this rule never fire.
Regards
Rmkml


On Wed, 13 Jul 2011, Will Metcalf wrote:

> Based on the signature... ya... perhaps
> flowbits:isnotset,is_proto_irc; should be
> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
> doing in there, it adds nothing to the rule.
>
> Regards,
>
> Will
>
> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday <paul.halliday at gmail.com> wrote:
>> SID 2002027: ET CHAT IRC PING
>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>> flowbits:noalert;
>>
>>
>> On:
>>
>> ping basket">...........</a>.....................................</td>........<td>....
>> ......................
>> ... ......................................
>>
>> Or:
>>
>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>> class="post-body">........<p>.........The Conrad Mald
>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>> restaurant. To celebrate its 5th anniversary, the
>> hotel turned the restaurant into a private bedroom for two with a
>> fancy champagne dinner and breakfast in bed..........<
>> a href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>
>> I have a few rules today that seem to be acting a little strange. A
>> setting maybe?
>>
>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>> This is Suricata version 1.0.4
>>
>>
>> Thanks.
>>
>> --
>> Paul Halliday
>> http://www.squertproject.org/
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list