[Oisf-users] Should this be firing?

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Jul 13 16:35:02 UTC 2011


THanks all!

Ya, I was going to say we modified that sig yesterday to rev 7 removing the noalert. We wanted to get more hits on rojans using irc.

I have added flowbits:isset,is_proto_irc; to this sig so it'll not false like that. 

Thanks!

Matt


On Jul 13, 2011, at 12:10 PM, Paul Halliday wrote:

> On Wed, Jul 13, 2011 at 1:07 PM, rmkml <rmkml at yahoo.fr> wrote:
>> and rev:7 already fixed this issue, Paul can you confirm have old sig
>> version please?
>> Regards
>> Rmkml
>> 
> 
> I just checked and you are correct.
> 
> Thanks guys.
> 
> 
>> 
>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>> 
>>>> Warning: this sig contains flowbits:noalert... this rule never fire.
>>>> Regards
>>> 
>>> Right, missed that on the first go around... Paul mind opening a ticket
>>> here?
>>> 
>>> https://redmine.openinfosecfoundation.org/projects/suricata/issues
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>> 
>>>> Hi Paul and Will,
>>>> Thx for previous comments,
>>> 
>>>> Rmkml
>>>> 
>>>> 
>>>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>>> 
>>>>> Based on the signature... ya... perhaps
>>>>> flowbits:isnotset,is_proto_irc; should be
>>>>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>>>>> doing in there, it adds nothing to the rule.
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Will
>>>>> 
>>>>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday
>>>>> <paul.halliday at gmail.com>
>>>>> wrote:
>>>>>> 
>>>>>> SID 2002027: ET CHAT IRC PING
>>>>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>>>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>>>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>>>>> flowbits:noalert;
>>>>>> 
>>>>>> 
>>>>>> On:
>>>>>> 
>>>>>> ping
>>>>>> 
>>>>>> basket">...........</a>.....................................</td>........<td>....
>>>>>> ......................
>>>>>> ... ......................................
>>>>>> 
>>>>>> Or:
>>>>>> 
>>>>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>>>>> class="post-body">........<p>.........The Conrad Mald
>>>>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>>>>> restaurant. To celebrate its 5th anniversary, the
>>>>>> hotel turned the restaurant into a private bedroom for two with a
>>>>>> fancy champagne dinner and breakfast in bed..........<
>>>>>> a
>>>>>> 
>>>>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>>>> 
>>>>>> I have a few rules today that seem to be acting a little strange. A
>>>>>> setting maybe?
>>>>>> 
>>>>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>>>>> This is Suricata version 1.0.4
>>>>>> 
>>>>>> 
>>>>>> Thanks.
>>>>>> 
>>>>>> --
>>>>>> Paul Halliday
>>>>>> http://www.squertproject.org/
>>>>>> _______________________________________________
>>>>>> Oisf-users mailing list
>>>>>> Oisf-users at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>> 
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> 
>>>> 
>>> 
>> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Oisf-users mailing list