[Oisf-users] false alerts?

Victor Julien lists at inliniac.net
Tue Apr 2 07:16:28 UTC 2013 

On 03/27/2013 06:39 PM, Jose Paulo wrote:
> Good point, Victor Julien, thank you.
> 
> I adjusted the rules set to add the depth modifier and the result
> changed as follow:
> 
> 11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
> 10.85.185.2:43569
> 
> 
> Can I consider each timestamp as a packet or something like this?
> If so, why we have alerts for a timestamp with a rule offset/depth and
> do not for the rule without it?
> 
> Take the timestamp 11/16/2011-15:01:48.726883, this is coherent for me,
> alerts for sid's 9000001 and 9000002.
> Now take the timestamp11/16/2011-15:00:00.198278, there is alert only
> for sid 9000004 (a content with offset/depth) and not for 9000001 (same
> content but without offset/depth).

If you use alert-debug you get the pcap num, which is the packet number
in the pcap. That should help you determine which packet matched what.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list