[Oisf-users] Should this be firing?
Will Metcalf
william.metcalf at gmail.com
Wed Jul 13 15:52:39 UTC 2011
Ahh well actually because of "flowbits:noalert;"... It shouldn't fire
:D... but outside of this, the rule appears to be broken anyway.
Regards,
Will
On Wed, Jul 13, 2011 at 10:50 AM, Paul Halliday <paul.halliday at gmail.com> wrote:
> On Wed, Jul 13, 2011 at 12:43 PM, Will Metcalf
> <william.metcalf at gmail.com> wrote:
>> Based on the signature... ya... perhaps
>> flowbits:isnotset,is_proto_irc; should be
>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>> doing in there, it adds nothing to the rule.
>>
>> Regards,
>>
>> Will
>>
>
> So, the signature should be renamed to "ET Contains string *ping"?
>
> It looks like it is firing on any web request.
>
>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday <paul.halliday at gmail.com> wrote:
>>> SID 2002027: ET CHAT IRC PING
>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>> flowbits:noalert;
>>>
>>>
>>> On:
>>>
>>> ping basket">...........</a>.....................................</td>........<td>....
>>> ......................
>>> ... ......................................
>>>
>>> Or:
>>>
>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>> class="post-body">........<p>.........The Conrad Mald
>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>> restaurant. To celebrate its 5th anniversary, the
>>> hotel turned the restaurant into a private bedroom for two with a
>>> fancy champagne dinner and breakfast in bed..........<
>>> a href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>
>>> I have a few rules today that seem to be acting a little strange. A
>>> setting maybe?
>>>
>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>> This is Suricata version 1.0.4
>>>
>>>
>>> Thanks.
>>>
>>> --
>>> Paul Halliday
>>> http://www.squertproject.org/
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>
More information about the Oisf-users
mailing list