[Oisf-users] Should this be firing?
Matthew Jonkman
jonkman at emergingthreatspro.com
Wed Jul 13 16:42:41 UTC 2011
No... I removed the noalert yesterday. I think everything is as it should be!
Matt
On Jul 13, 2011, at 12:34 PM, Victor Julien wrote:
> Still a bug... the flowbits:noalert should have prevented the alert.
> Care to open a ticket?
>
> Cheers,
> Victor
>
> On 07/13/2011 06:10 PM, Paul Halliday wrote:
>> On Wed, Jul 13, 2011 at 1:07 PM, rmkml <rmkml at yahoo.fr> wrote:
>>> and rev:7 already fixed this issue, Paul can you confirm have old sig
>>> version please?
>>> Regards
>>> Rmkml
>>>
>>
>> I just checked and you are correct.
>>
>> Thanks guys.
>>
>>
>>>
>>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>>
>>>>> Warning: this sig contains flowbits:noalert... this rule never fire.
>>>>> Regards
>>>>
>>>> Right, missed that on the first go around... Paul mind opening a ticket
>>>> here?
>>>>
>>>> https://redmine.openinfosecfoundation.org/projects/suricata/issues
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Wed, Jul 13, 2011 at 10:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>>>
>>>>> Hi Paul and Will,
>>>>> Thx for previous comments,
>>>>
>>>>> Rmkml
>>>>>
>>>>>
>>>>> On Wed, 13 Jul 2011, Will Metcalf wrote:
>>>>>
>>>>>> Based on the signature... ya... perhaps
>>>>>> flowbits:isnotset,is_proto_irc; should be
>>>>>> flowbits:isset,is_proto_irc;, also I'm not sure what offset:0; is
>>>>>> doing in there, it adds nothing to the rule.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Will
>>>>>>
>>>>>> On Wed, Jul 13, 2011 at 10:37 AM, Paul Halliday
>>>>>> <paul.halliday at gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> SID 2002027: ET CHAT IRC PING
>>>>>>> alert tcp any any -> any any (msg:"ET CHAT IRC PING command";
>>>>>>> flowbits:isnotset,is_proto_irc; flow: from_server,established;
>>>>>>> content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping;
>>>>>>> flowbits:noalert;
>>>>>>>
>>>>>>>
>>>>>>> On:
>>>>>>>
>>>>>>> ping
>>>>>>>
>>>>>>> basket">...........</a>.....................................</td>........<td>....
>>>>>>> ......................
>>>>>>> ... ......................................
>>>>>>>
>>>>>>> Or:
>>>>>>>
>>>>>>> ping in an Underwater Bedroom Would Be Amazing</a></h1>.......<div
>>>>>>> class="post-body">........<p>.........The Conrad Mald
>>>>>>> ives Rangali Island Hotel in the Indian Ocean has a stunning undersea
>>>>>>> restaurant. To celebrate its 5th anniversary, the
>>>>>>> hotel turned the restaurant into a private bedroom for two with a
>>>>>>> fancy champagne dinner and breakfast in bed..........<
>>>>>>> a
>>>>>>>
>>>>>>> href="http://gizmodo.com/5820721/sleeping-in-an-underwater-bedroom-would-be-amazing"
>>>>>>>
>>>>>>> I have a few rules today that seem to be acting a little strange. A
>>>>>>> setting maybe?
>>>>>>>
>>>>>>> [100153] 13/7/2011 -- 12:37:35 - (suricata.c:431) <Info> (main) --
>>>>>>> This is Suricata version 1.0.4
>>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> --
>>>>>>> Paul Halliday
>>>>>>> http://www.squertproject.org/
>>>>>>> _______________________________________________
>>>>>>> Oisf-users mailing list
>>>>>>> Oisf-users at openinfosecfoundation.org
>>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Oisf-users mailing list
>>>>>> Oisf-users at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>
>>>>>
>>>>
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Oisf-users
mailing list