[Oisf-users] Should this be firing?

rmkml rmkml at yahoo.fr
Wed Jul 13 16:07:34 UTC 2011


and rev:7 already fixed this issue, Paul can you confirm have old sig version please?
Regards
Rmkml


On Wed, 13 Jul 2011, Will Metcalf wrote:

>> Warning: this sig contains flowbits:noalert... this rule never fire.
>> Regards
>
> Right, missed that on the first go around... Paul mind opening a ticket here?
>
> https://redmine.openinfosecfoundation.org/projects/suricata/issues
>
> Regards,
>
> Will
>
> On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi Paul and Will,
>> Thx for previous comments,
>
>> Rmkml
>>
>>
>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>
>>> Based on the signature... ya... perhaps
>>> flowbits:isnotset,is_proto_irc; should be
>>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>>> doing in there, it adds nothing to the rule.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday <paul.halliday at gmail.com>
>>> wrote:
>>>>
>>>> SID 2002027: ET CHAT IRC PING
>>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>>> flowbits:noalert;
>>>>
>>>>
>>>> On:
>>>>
>>>> ping
>>>> basket">...........</a>.....................................</td>........<td>....
>>>> ......................
>>>> ... ......................................
>>>>
>>>> Or:
>>>>
>>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>>> class="post-body">........<p>.........The Conrad Mald
>>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>>> restaurant. To celebrate its 5th anniversary, the
>>>> hotel turned the restaurant into a private bedroom for two with a
>>>> fancy champagne dinner and breakfast in bed..........<
>>>> a
>>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>>
>>>> I have a few rules today that seem to be acting a little strange. A
>>>> setting maybe?
>>>>
>>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>>> This is Suricata version 1.0.4
>>>>
>>>>
>>>> Thanks.
>>>>
>>>> --
>>>> Paul Halliday
>>>> http://www.squertproject.org/
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>



More information about the Oisf-users mailing list