[Oisf-users] false alerts?
Jose Paulo
paulo at sistemasolar.com.br
Wed Mar 27 14:30:01 UTC 2013
Thank you Peter Manev.
1) Yes, it's correct. It's a pcap file captured at this time.
2) Sorry, I can't. But I received authorization to post the alert-debug,
if it help.
Thanks again.
José Paulo
Le 27/03/2013 09:34, Peter Manev a écrit :
>
>
> On Wed, Mar 27, 2013 at 1:03 PM, Jose Paulo <paulo at sistemasolar.com.br
> <mailto:paulo at sistemasolar.com.br>> wrote:
>
> Hello all.
>
> I'm studying Suricata and I got this result:
>
> 11/16/2011-15:00:00.198278 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:00:09.374228 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
>
> against this rules set:
>
> alert tcp any any <> any 23 (msg:"HEX no offset "; content: "|F8 F8 F8
> F8 40 C3 81 89 A7 81|"; sid:9000001;)
> alert tcp any any <> any 23 (msg:"HEX offset 514"; content: "|F8 F8 F8
> F8 40 C3 81 89 A7 81|"; offset:514; sid:9000002;)
> alert tcp any any <> any 23 (msg:"HEX offset 516"; content: "|F8 F8 F8
> F8 40 C3 81 89 A7 81|"; offset:516; sid:9000003;)
> alert tcp any any <> any 23 (msg:"HEX offset 510"; content: "|F8 F8 F8
> F8 40 C3 81 89 A7 81|"; offset:510; sid:9000004;)
> alert tcp any any <> any 23 (msg:"HEX offset 503"; content: "|F8 F8 F8
> F8 40 C3 81 89 A7 81|"; offset:503; sid:9000005;)
>
> My doubts are:
>
> 1) Why I'm getting alerts for sid's 9000004,5 for the same packet
> if the
> offset is shifted?
>
> 11/16/2011-15:01:48.726883 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
>
> 2) Why I'm not getting alerts for sid 9000001 if I got for the others?
>
> 11/16/2011-15:01:44.609767 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:44.609767 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
>
> The expected result is only this:
> 11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
> 11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
> [Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23
> <http://10.31.15.32:23> ->
> 10.85.185.2:43569 <http://10.85.185.2:43569>
>
> I don't understand why the others occurs.
> Any enlightenment will be welcome.
>
> Best regards!
>
> José Paulo
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
> Hi,
> A couple of questions:
> 1) 11/16/2011- is that really the time in the current packets?
> 2) Can you share a pcap , if that is ok?
>
> Thank you
>
>
>
> --
> Regards,
> Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130327/a4f8b924/attachment-0002.html>
More information about the Oisf-users
mailing list