[Oisf-users] threshold will not work on suricata v1.4.1

Victor Julien lists at inliniac.net
Fri Mar 22 13:36:13 UTC 2013


On 03/22/2013 02:03 PM, Stefan Sabolowitsch wrote:
> Hi all,
> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
> 
> this rules
> 
> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37

> or this will not work
> 
> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
> 
> i get always this alarm on suri  (no errors seen in sure log file)
> 
> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918

The alert shows generator id 1 (which is the default in suricata), yet
the threshold rules try to suppress gen_id 139. Please try setting
gen_id in the suppress rules to 1.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list