[Oisf-users] threshold will not work on suricata v1.4.1
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Fri Mar 22 13:36:48 UTC 2013
Sorry Peter what do mean exactly, i don't understand your question...
Am 22.03.2013 um 14:33 schrieb Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
:
what is diff between the two sigs?
On Fri, Mar 22, 2013 at 2:31 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
maybe yes, when i see this issues….
Am 22.03.2013 um 14:27 schrieb Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
:
On Fri, Mar 22, 2013 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi Peter,
what i see is the following.
this works:
global threshold
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.25
suppress gen_id 0, sig_id 0, track by_dst, ip 192.168.1.25
Suppress this event completely
# gen_id_1
suppress gen_id 1, sig_id 536
#"GPL SHELLCODE x86 NOOP"
suppress gen_id 1, sig_id 648
#GPL SHELLCODE x86 0x90 unicode NOOP
suppress gen_id 1, sig_id 653
# This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
but not this rules (sig_id, src, dst, IP)
suppress gen_id 139, sig_id 430, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 430, track by_dst, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
so anything with asid longer than 4 digits?
suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2102123, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2102123, track by_dst, ip 192.168.1.37
Am 22.03.2013 um 14:05 schrieb Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
:
Hi Stefan,
So you are saying it was working before... and now it is not again?
Thanks
On Fri, Mar 22, 2013 at 2:03 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
this rules
suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
or this will not work
suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
i get always this alarm on suri (no errors seen in sure log file)
Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000<http://192.168.100.120:10000/> -> 192.168.1.37:59918<http://192.168.1.37:59918/>
any help here ?
Best regards
Stefan
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org/> | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
--
Regards,
Peter Manev
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130322/3d409b6f/attachment-0002.html>
More information about the Oisf-users
mailing list