[Oisf-users] threshold will not work on suricata v1.4.1

Victor Julien lists at inliniac.net
Fri Mar 22 13:57:55 UTC 2013


On 03/22/2013 02:51 PM, Stefan Sabolowitsch wrote:
> Ahh OK Victor ,but but where i can change this value (suricata.yaml)?
> I found only information (fast look) about "generation id" in alert-unified2-alert.c
> And a brief information in the logfile would be helpful

Gen id is a rule option. As the rules you are trying to suppress have
gen id 1, you just need to change the suppression rules to reflect that. So:

suppress gen_id 1, sig_id 2002068, track by_src, ip 192.168.1.37
suppress gen_id 1, sig_id 2002068, track by_dst, ip 192.168.1.37

If you really think you need to change the rule's gen_id/gid (which I
really doubt), then have a look at:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Gid-group-id

Cheers,
Victor

> 
> Am 22.03.2013 um 14:36 schrieb Victor Julien <lists at inliniac.net>
> :
> 
>> On 03/22/2013 02:03 PM, Stefan Sabolowitsch wrote:
>>> Hi all,
>>> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
>>>
>>> this rules
>>>
>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>>
>>> or this will not work
>>>
>>> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
>>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>>>
>>> i get always this alarm on suri  (no errors seen in sure log file)
>>>
>>> Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918
>>
>> The alert shows generator id 1 (which is the default in suricata), yet
>> the threshold rules try to suppress gen_id 139. Please try setting
>> gen_id in the suppress rules to 1.
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list