[Oisf-users] Why one request, two alerts(logs in fast.log)?

郑博文 anshuitian at gmail.com
Mon Jan 14 08:15:50 UTC 2013 

I re-tested, the detail is:

version:
1.4 release

suricata.yaml:
...
default-rule-path: /etc/suricata/rules/
rule-files:

 - local.rules
...

local.rules:
alert ip any any -> any any (msg:"http test for 2000001";
content:"aaabbbccc"; sid:2000001; rev:1;)

now, I sen a GET request to the server which the IPS protected, then
fast.log produces the following log:
01/14/2013-16:05:18.125442  [**] [1:2000001:1] http test for 2000001 [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.9.140:8045 ->
192.168.9.14:80
01/14/2013-16:05:18.126659  [**] [1:2000001:1] http test for 2000001 [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.9.140:8045 ->
192.168.9.14:80
01/14/2013-16:05:18.128767  [**] [1:2000001:1] http test for 2000001 [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.9.140:8045 ->
192.168.9.14:80
01/14/2013-16:05:18.129407  [**] [1:2000001:1] http test for 2000001 [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.9.140:8045 ->
192.168.9.14:80

and I capture packets by Wireshark as pic1.jpg

the cmd line:
/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -q 50 -q 51 -q 52 -q 53
--runmode workers

iptables:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
14571 2019K NFQUEUE    all  --  any    any     anywhere
anywhere            length 0:1500 NFQUEUE balance 50:53

I also changed the protocol to http or tcp, same result.




2013/1/14 郑博文 <anshuitian at gmail.com>

>
>
> 2013/1/14 郑博文 <anshuitian at gmail.com>
>
>> Hello, all:
>>     I use suricata in IPS mode, I send a GET request to the server which
>> the IPS protected, and the request touch off the 20000001 sig,
>> 20000001 signature is: drop http any any -> any any (msg:"http test for
>> 2000001"; content:"20000001"; sid:2000001; rev:1;)
>>     but there are two same logs in fast.log generated(whatever the action
>> type of the signature is, there are two same logs.),like this:
>>
>>
>>
>>     but, I capture packets by Wireshark, like this:
>>
>>
>>
>>
>>     Why?
>>
>
>
>
> sorry, the pictures were damaged.
>
> the first pic is 1.jpg, the second pic is 2.jpg.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/b5e1daea/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic1.jpg
Type: image/jpeg
Size: 192696 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/b5e1daea/attachment-0002.jpg>

More information about the Oisf-users mailing list