[Oisf-users] false alerts?
Jose Paulo
paulo at sistemasolar.com.br
Wed Mar 27 12:03:33 UTC 2013
Hello all.
I'm studying Suricata and I got this result:
11/16/2011-15:00:00.198278 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
against this rules set:
alert tcp any any <> any 23 (msg:"HEX no offset "; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; sid:9000001;)
alert tcp any any <> any 23 (msg:"HEX offset 514"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:514; sid:9000002;)
alert tcp any any <> any 23 (msg:"HEX offset 516"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:516; sid:9000003;)
alert tcp any any <> any 23 (msg:"HEX offset 510"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:510; sid:9000004;)
alert tcp any any <> any 23 (msg:"HEX offset 503"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:503; sid:9000005;)
My doubts are:
1) Why I'm getting alerts for sid's 9000004,5 for the same packet if the
offset is shifted?
11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
2) Why I'm not getting alerts for sid 9000001 if I got for the others?
11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
The expected result is only this:
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
I don't understand why the others occurs.
Any enlightenment will be welcome.
Best regards!
José Paulo
More information about the Oisf-users
mailing list