[Oisf-users] threshold will not work on suricata v1.4.1
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Fri Mar 22 13:51:44 UTC 2013
Ahh OK Victor ,but but where i can change this value (suricata.yaml)?
I found only information (fast look) about "generation id" in alert-unified2-alert.c
And a brief information in the logfile would be helpful
Am 22.03.2013 um 14:36 schrieb Victor Julien <lists at inliniac.net>
:
> On 03/22/2013 02:03 PM, Stefan Sabolowitsch wrote:
>> Hi all,
>> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
>>
>> this rules
>>
>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>
>> or this will not work
>>
>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>>
>> i get always this alarm on suri (no errors seen in sure log file)
>>
>> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918
>
> The alert shows generator id 1 (which is the default in suricata), yet
> the threshold rules try to suppress gen_id 139. Please try setting
> gen_id in the suppress rules to 1.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
More information about the Oisf-users
mailing list