[Oisf-users] Suricata 1.4 unified2 log and rules issues

Peter Manev petermanev at gmail.com
Fri Mar 29 12:15:39 UTC 2013 

On Fri, Mar 29, 2013 at 11:44 AM, marwane azzouzi
<azzouzi.marwane at hotmail.fr> wrote:
> Hello,
Hi,
> I'm testing suricata 1.4.1
>
> The first purpose of the test is to show events on a GUI: I choose BASE
> (1.4.5) as a GUI, Barnyard2 (2.1.12) to parse suricata's unified2 files and
> to put alerts on the data base.
>              I got the following results :
>
> I wrote a simple ICMP rule : alert icmp any any -> any any (msg:"ICMP
> Testing Rule"; sid:1000001; rev:1;)
>
> Suricata can detect and put the ICMP into the unified2 file but Barnyard2 is
> unable to parse it and put the alert into the DB. I got this error :
>
> WARNING database [Database()]: Called with Event[0x37e5170] Event Type [72]
> (P)acket [0x0], information has not been outputed.
> WARNING database [Database()]: Called with Event[0x0] Event Type [0]
> (P)acket [0x3328e30], information has not been outputed.
>
> Can it be an issue related to the unified2 file ? the way that Suricata logs
> on unified? (Barnyard2 installation is verified and OK) ??
it could be.
>
> I tested the following voip scan (sivus) rule which is a VRT one :
>
>
> alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"VOIP-SIP-UDP
> Sivus scanner detected"; flow:to_server;content:"From|3A|";
> fast_pattern:only; pcre:"/^From\x3A\s*sivus-discovery/Hsmi";
> reference:url,www.vopsecurity.org/; classtype:network-scan; sid:12112;
> rev:4;)
>
> But no alerts in the unified2 file ! does Suricata supports snort rules ???
It does , although not fully.
Can you verify that the rules is loading successfully? (no rules fail
during load/init time)
>
> I tested the following voip scan (sipvicious) rule which is an ET rule :
>
>
> alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"VOIP-SIP- SCAN
> Sipvicious User-Agent Detected"; content:"|0d 0a|User-Agent|3A|
> friendly-scanner"; classtype: network-scan;
> reference:url,blog.sipvicious.org/; sid:2011716; rev:2;)
>
> But no alerts in the unified2 file ! does Suricata has somme issues with ET
> rules ???
I don't think so - again have you checked your variables in the yaml
(network/port/server)? and that the rule  loads and there are no
issues?
You could share a pcap (privately) if you will.
>
>
> I'm interested in your IDS and would like to make other tests especially on
> VoIP. Could you please give me some responses about the mentionned issues??
>
> Thank you
thanks
>
> Marwane AZZOUZI
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



--
Regards,
Peter Manev

More information about the Oisf-users mailing list