[Oisf-users] false alerts?

Jose Paulo paulo at sistemasolar.com.br
Wed Mar 27 12:03:33 UTC 2013 

Hello all.

I'm studying Suricata and I got this result:

11/16/2011-15:00:00.198278  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:00.198278  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:31.769957  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767  [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569

against this rules set:

alert tcp any any <> any 23 (msg:"HEX no offset "; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; sid:9000001;)
alert tcp any any <> any 23 (msg:"HEX offset 514"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:514; sid:9000002;)
alert tcp any any <> any 23 (msg:"HEX offset 516"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:516; sid:9000003;)
alert tcp any any <> any 23 (msg:"HEX offset 510"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:510; sid:9000004;)
alert tcp any any <> any 23 (msg:"HEX offset 503"; content: "|F8 F8 F8
F8 40 C3 81 89 A7 81|"; offset:503; sid:9000005;)

My doubts are:

1) Why I'm getting alerts for sid's 9000004,5 for the same packet if the
offset is shifted?

11/16/2011-15:01:48.726883  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569

2) Why I'm not getting alerts for sid 9000001 if I got for the others?

11/16/2011-15:01:44.609767  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767  [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569

The expected result is only this:
11/16/2011-15:00:09.374228  [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502  [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883  [**] [1:9000001:0] HEX no offset  [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569

I don't understand why the others occurs.
Any enlightenment will be welcome.

Best regards!

José Paulo

More information about the Oisf-users mailing list