[Oisf-users] Suricata 1.4 unified2 log and rules issues

marwane azzouzi azzouzi.marwane at hotmail.fr
Fri Mar 29 10:44:23 UTC 2013


Hello, I'm testing suricata 1.4.1 
The first purpose of the test is to show events on a GUI: I choose BASE (1.4.5) as a GUI, Barnyard2 (2.1.12) to parse suricata's unified2 files and to put alerts on the data base.             I got the following results : 
I wrote a simple ICMP rule : alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)Suricata can detect and put the ICMP into the unified2 file but Barnyard2 is unable to parse it and put the alert into the DB. I got this error : 
WARNING database [Database()]: Called with Event[0x37e5170] Event Type [72] (P)acket [0x0], information has not been outputed.WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x3328e30], information has not been outputed.
Can it be an issue related to the unified2 file ? the way that Suricata logs on unified? (Barnyard2 installation is verified and OK) ??
I tested the following voip scan (sivus) rule which is a VRT one : 
alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"VOIP-SIP-UDP Sivus scanner detected"; flow:to_server;content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*sivus-discovery/Hsmi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:12112; rev:4;)
But no alerts in the unified2 file ! does Suricata supports snort rules ??? 
I tested the following voip scan (sipvicious) rule which is an ET rule : 
alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"VOIP-SIP- SCAN Sipvicious User-Agent Detected"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; classtype: network-scan; reference:url,blog.sipvicious.org/; sid:2011716; rev:2;)
But no alerts in the unified2 file ! does Suricata has somme issues with ET rules ??? 
I'm interested in your IDS and would like to make other tests especially on VoIP. Could you please give me some responses about the mentionned issues??Thank youMarwane AZZOUZI 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130329/b7a6185f/attachment.html>


More information about the Oisf-users mailing list