[Oisf-users] Why one request, two alerts(logs in fast.log)?
郑博文
anshuitian at gmail.com
Mon Jan 14 07:05:04 UTC 2013
2013/1/14 郑博文 <anshuitian at gmail.com>
> Hello, all:
> I use suricata in IPS mode, I send a GET request to the server which
> the IPS protected, and the request touch off the 20000001 sig,
> 20000001 signature is: drop http any any -> any any (msg:"http test for
> 2000001"; content:"20000001"; sid:2000001; rev:1;)
> but there are two same logs in fast.log generated(whatever the action
> type of the signature is, there are two same logs.),like this:
>
>
>
> but, I capture packets by Wireshark, like this:
>
>
>
>
> Why?
>
sorry, the pictures were damaged.
the first pic is 1.jpg, the second pic is 2.jpg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/0f82dd46/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.jpg
Type: image/jpeg
Size: 33451 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/0f82dd46/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.jpg
Type: image/jpeg
Size: 170547 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/0f82dd46/attachment-0005.jpg>
More information about the Oisf-users
mailing list