[Oisf-users] Should this be firing?

Paul Halliday paul.halliday at gmail.com
Wed Jul 13 16:10:25 UTC 2011


On Wed, Jul 13, 2011 at 1:07 PM, rmkml <rmkml at yahoo.fr> wrote:
> and rev:7 already fixed this issue, Paul can you confirm have old sig
> version please?
> Regards
> Rmkml
>

I just checked and you are correct.

Thanks guys.


>
> On Wed, 13 Jul 2011, Will Metcalf wrote:
>
>>> Warning: this sig contains flowbits:noalert... this rule never fire.
>>> Regards
>>
>> Right, missed that on the first go around... Paul mind opening a ticket
>> here?
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/issues
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>
>>> Hi Paul and Will,
>>> Thx for previous comments,
>>
>>> Rmkml
>>>
>>>
>>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>>
>>>> Based on the signature... ya... perhaps
>>>> flowbits:isnotset,is_proto_irc; should be
>>>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>>>> doing in there, it adds nothing to the rule.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday
>>>> <paul.halliday at gmail.com>
>>>> wrote:
>>>>>
>>>>> SID 2002027: ET CHAT IRC PING
>>>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>>>> flowbits:noalert;
>>>>>
>>>>>
>>>>> On:
>>>>>
>>>>> ping
>>>>>
>>>>> basket">...........</a>.....................................</td>........<td>....
>>>>> ......................
>>>>> ... ......................................
>>>>>
>>>>> Or:
>>>>>
>>>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>>>> class="post-body">........<p>.........The Conrad Mald
>>>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>>>> restaurant. To celebrate its 5th anniversary, the
>>>>> hotel turned the restaurant into a private bedroom for two with a
>>>>> fancy champagne dinner and breakfast in bed..........<
>>>>> a
>>>>>
>>>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>>>
>>>>> I have a few rules today that seem to be acting a little strange. A
>>>>> setting maybe?
>>>>>
>>>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>>>> This is Suricata version 1.0.4
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Paul Halliday
>>>>> http://www.squertproject.org/
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>
>>
>



More information about the Oisf-users mailing list