[Oisf-users] Should this be firing?

Will Metcalf william.metcalf at gmail.com
Wed Jul 13 16:03:16 UTC 2011


> Warning: this sig contains flowbits:noalert... this rule never fire.
> Regards

Right, missed that on the first go around... Paul mind opening a ticket here?

https://redmine.openinfosecfoundation.org/projects/suricata/issues

Regards,

Will

On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Paul and Will,
> Thx for previous comments,

> Rmkml
>
>
> On Wed, 13 Jul 2011, Will Metcalf wrote:
>
>> Based on the signature... ya... perhaps
>> flowbits:isnotset,is_proto_irc; should be
>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>> doing in there, it adds nothing to the rule.
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday <paul.halliday at gmail.com>
>> wrote:
>>>
>>> SID 2002027: ET CHAT IRC PING
>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>> flowbits:noalert;
>>>
>>>
>>> On:
>>>
>>> ping
>>> basket">...........</a>.....................................</td>........<td>....
>>> ......................
>>> ... ......................................
>>>
>>> Or:
>>>
>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>> class="post-body">........<p>.........The Conrad Mald
>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>> restaurant. To celebrate its 5th anniversary, the
>>> hotel turned the restaurant into a private bedroom for two with a
>>> fancy champagne dinner and breakfast in bed..........<
>>> a
>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>
>>> I have a few rules today that seem to be acting a little strange. A
>>> setting maybe?
>>>
>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>> This is Suricata version 1.0.4
>>>
>>>
>>> Thanks.
>>>
>>> --
>>> Paul Halliday
>>> http://www.squertproject.org/
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>



More information about the Oisf-users mailing list