[Oisf-users] threshold will not work on suricata v1.4.1
Peter Manev
petermanev at gmail.com
Fri Mar 22 13:33:13 UTC 2013
what is diff between the two sigs?
On Fri, Mar 22, 2013 at 2:31 PM, Stefan Sabolowitsch <
Stefan.Sabolowitsch at felten-group.com> wrote:
> maybe yes, when i see this issues….
>
> Am 22.03.2013 um 14:27 schrieb Peter Manev <petermanev at gmail.com>
> :
>
>
>
> On Fri, Mar 22, 2013 at 2:13 PM, Stefan Sabolowitsch <
> Stefan.Sabolowitsch at felten-group.com> wrote:
>
>> Hi Peter,
>> what i see is the following.
>>
>> this works:
>>
>> global threshold
>> suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.25
>> suppress gen_id 0, sig_id 0, track by_dst, ip 192.168.1.25
>>
>> Suppress this event completely
>> # gen_id_1
>> suppress gen_id 1, sig_id 536
>> #"GPL SHELLCODE x86 NOOP"
>> suppress gen_id 1, sig_id 648
>> #GPL SHELLCODE x86 0x90 unicode NOOP
>> suppress gen_id 1, sig_id 653
>> # This set of instructions can be used as a NOOP to pad buffers on an x86
>> architecture machines.
>> suppress gen_id 1, sig_id 1390
>> suppress gen_id 1, sig_id 2452
>> suppress gen_id 1, sig_id 8375
>>
>> but not this rules (sig_id, src, dst, IP)
>> suppress gen_id 139, sig_id 430, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 430, track by_dst, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>>
> so anything with asid longer than 4 digits?
>
>> suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2102123, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2102123, track by_dst, ip 192.168.1.37
>>
>>
>>
>> Am 22.03.2013 um 14:05 schrieb Peter Manev <petermanev at gmail.com>
>> :
>>
>> Hi Stefan,
>>
>> So you are saying it was working before... and now it is not again?
>> Thanks
>>
>> On Fri, Mar 22, 2013 at 2:03 PM, Stefan Sabolowitsch <
>> Stefan.Sabolowitsch at felten-group.com> wrote:
>>
>>> Hi all,
>>> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
>>>
>>> this rules
>>>
>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>>>
>>> or this will not work
>>>
>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>>>
>>> i get always this alarm on suri (no errors seen in sure log file)
>>>
>>> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918
>>>
>>> any help here ?
>>>
>>> Best regards
>>> Stefan
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>>
>
>
> --
> Regards,
> Peter Manev
>
>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130322/421cd29d/attachment-0002.html>
More information about the Oisf-users
mailing list