[Oisf-users] threshold will not work on suricata v1.4.1
Victor Julien
lists at inliniac.net
Fri Mar 22 13:36:13 UTC 2013
On 03/22/2013 02:03 PM, Stefan Sabolowitsch wrote:
> Hi all,
> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
>
> this rules
>
> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
> or this will not work
>
> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>
> i get always this alarm on suri (no errors seen in sure log file)
>
> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918
The alert shows generator id 1 (which is the default in suricata), yet
the threshold rules try to suppress gen_id 139. Please try setting
gen_id in the suppress rules to 1.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list