[Oisf-users] Why one request, two alerts(logs in fast.log)?
Anoop Saldanha
anoopsaldanha at gmail.com
Mon Jan 14 06:49:35 UTC 2013
On Mon, Jan 14, 2013 at 11:26 AM, 郑博文 <anshuitian at gmail.com> wrote:
> Hello, all:
> I use suricata in IPS mode, I send a GET request to the server which
> the IPS protected, and the request touch off the 20000001 sig,
> 20000001 signature is: drop http any any -> any any (msg:"http test for
> 2000001"; content:"20000001"; sid:2000001; rev:1;)
> but there are two same logs in fast.log generated(whatever the action
> type of the signature is, there are two same logs.),like this:
>
>
>
> but, I capture packets by Wireshark, like this:
>
The attachment of yours isn't visible.
You have 2 content matches against the stream? Can you verify the multiple
presence of 20000001 in your payloads?
--
Anoop Saldanha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/bcd09e07/attachment-0002.html>
More information about the Oisf-users
mailing list