[Oisf-users] Why one request, two alerts(logs in fast.log)?

郑博文 anshuitian at gmail.com
Mon Jan 14 05:56:26 UTC 2013

Hello, all:
    I use suricata in IPS mode, I send a GET request to the server which
the IPS protected, and the request touch off the 20000001 sig,
20000001 signature is: drop http any any -> any any (msg:"http test for
2000001"; content:"20000001"; sid:2000001; rev:1;)
    but there are two same logs in fast.log generated(whatever the action
type of the signature is, there are two same logs.),like this:

    but, I capture packets by Wireshark, like this:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/fee6795d/attachment-0001.html>

More information about the Oisf-users mailing list