[Oisf-users] Should this be firing?
Matthew Jonkman
jonkman at emergingthreatspro.com
Wed Jul 13 16:35:02 UTC 2011
THanks all!
Ya, I was going to say we modified that sig yesterday to rev 7 removing the noalert. We wanted to get more hits on rojans using irc.
I have added flowbits:isset,is_proto_irc; to this sig so it'll not false like that.
Thanks!
Matt
On Jul 13, 2011, at 12:10 PM, Paul Halliday wrote:
> On Wed, Jul 13, 2011 at 1:07 PM, rmkml <rmkml at yahoo.fr> wrote:
>> and rev:7 already fixed this issue, Paul can you confirm have old sig
>> version please?
>> Regards
>> Rmkml
>>
>
> I just checked and you are correct.
>
> Thanks guys.
>
>
>>
>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>
>>>> Warning: this sig contains flowbits:noalert... this rule never fire.
>>>> Regards
>>>
>>> Right, missed that on the first go around... Paul mind opening a ticket
>>> here?
>>>
>>> https://redmine.openinfosecfoundation.org/projects/suricata/issues
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>>
>>>> Hi Paul and Will,
>>>> Thx for previous comments,
>>>
>>>> Rmkml
>>>>
>>>>
>>>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>>>
>>>>> Based on the signature... ya... perhaps
>>>>> flowbits:isnotset,is_proto_irc; should be
>>>>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>>>>> doing in there, it adds nothing to the rule.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday
>>>>> <paul.halliday at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> SID 2002027: ET CHAT IRC PING
>>>>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>>>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>>>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>>>>> flowbits:noalert;
>>>>>>
>>>>>>
>>>>>> On:
>>>>>>
>>>>>> ping
>>>>>>
>>>>>> basket">...........</a>.....................................</td>........<td>....
>>>>>> ......................
>>>>>> ... ......................................
>>>>>>
>>>>>> Or:
>>>>>>
>>>>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>>>>> class="post-body">........<p>.........The Conrad Mald
>>>>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>>>>> restaurant. To celebrate its 5th anniversary, the
>>>>>> hotel turned the restaurant into a private bedroom for two with a
>>>>>> fancy champagne dinner and breakfast in bed..........<
>>>>>> a
>>>>>>
>>>>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>>>>
>>>>>> I have a few rules today that seem to be acting a little strange. A
>>>>>> setting maybe?
>>>>>>
>>>>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>>>>> This is Suricata version 1.0.4
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> --
>>>>>> Paul Halliday
>>>>>> http://www.squertproject.org/
>>>>>> _______________________________________________
>>>>>> Oisf-users mailing list
>>>>>> Oisf-users at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>
>>>
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Oisf-users
mailing list