[Oisf-users] false alerts?
Jose Paulo
paulo at sistemasolar.com.br
Wed Mar 27 17:39:13 UTC 2013
Good point, Victor Julien, thank you.
I adjusted the rules set to add the depth modifier and the result
changed as follow:
11/16/2011-15:00:00.198278 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000004:0] HEX offset 510 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:00:09.374228 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:31.769957 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000005:0] HEX offset 503 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:38.380502 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:44.609767 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000002:0] HEX offset 514 [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
11/16/2011-15:01:48.726883 [**] [1:9000001:0] HEX no offset [**]
[Classification: (null)] [Priority: 3] {TCP} 10.31.15.32:23 ->
10.85.185.2:43569
Can I consider each timestamp as a packet or something like this?
If so, why we have alerts for a timestamp with a rule offset/depth and
do not for the rule without it?
Take the timestamp 11/16/2011-15:01:48.726883, this is coherent for me,
alerts for sid's 9000001 and 9000002.
Now take the timestamp11/16/2011-15:00:00.198278, there is alert only
for sid 9000004 (a content with offset/depth) and not for 9000001 (same
content but without offset/depth).
Josś Paulo
Le 27/03/2013 11:54, Victor Julien a écrit :
> On 03/27/2013 01:03 PM, Jose Paulo wrote:
>> 1) Why I'm getting alerts for sid's 9000004,5 for the same packet if the
>> offset is shifted?
> The offset only determines where we _start_ looking for the pattern. If
> the pattern occurs in the payload anywhere after it, we'll match.
>
> If you want to pin point matching to specific bytes at specific offsets,
> you should also add the "depth" keyword.
>
More information about the Oisf-users
mailing list