[Oisf-users] Why one request, two alerts(logs in fast.log)?

Anoop Saldanha anoopsaldanha at gmail.com
Mon Jan 14 06:49:35 UTC 2013

On Mon, Jan 14, 2013 at 11:26 AM, 郑博文 <anshuitian at gmail.com> wrote:

> Hello, all:
>     I use suricata in IPS mode, I send a GET request to the server which
> the IPS protected, and the request touch off the 20000001 sig,
> 20000001 signature is: drop http any any -> any any (msg:"http test for
> 2000001"; content:"20000001"; sid:2000001; rev:1;)
>     but there are two same logs in fast.log generated(whatever the action
> type of the signature is, there are two same logs.),like this:
>     but, I capture packets by Wireshark, like this:

The attachment of yours isn't visible.

You have 2 content matches against the stream?  Can you verify the multiple
presence of 20000001 in your payloads?

Anoop Saldanha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/bcd09e07/attachment-0002.html>

More information about the Oisf-users mailing list