[Oisf-users] Question

Leonard Jacobs ljacobs at netsecuris.com
Sat Mar 30 14:44:20 UTC 2013

I am running the ET Open rules but not all of them.  I have Scan on so I would have thought I would see them.  I am getting a Policy one dealing with DNS periodically.  And if I enable the Suricata decode rules I get events.
I have 1.4.1 installed.  I have tried various kernels and versions of Ubuntu.  I thought about switching back to 1.4 to see if that makes a difference.  I have tried IDS mode, IPS mode using NFQUEUE, and IPS mode with AF-Packet.  Does not seem to make a difference.  However with NFQUEUE, I noticed a lot of dropped packets according to drop.log.
I have my HOME_NET IP addresses in the var within brackets like the example.  Individual servers are in vars within brackets.
We have been running tcpdump just to see what kinds of traffic we are getting and the level.  Not a lot of traffic but we do see an increase when running the scans.
From: mjonkman at emergingthreatspro.com [mailto:mjonkman at emergingthreatspro.com] On Behalf Of Matt Jonkman
Sent: Saturday, March 30, 2013 8:40 AM
To: Leonard Jacobs
Cc: oisf-users at openinfosecfoundation.org; Eric Leblond
Subject: Re: [Oisf-users] Question
Definitely should have. What rules are you running? Just the ET Open?
Have your vars set right?
Are you seeing other events?
On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
Why would Suricata events not be triggered when running a vulnerability scanner?  I ran OpenVAS against a couple of public IP addresses on our network and not a single event was triggered.  I would have thought that at least emerging-scan.rules would trigger.
Leonard Jacobs
Netsecuris Inc.
9301 Bryant Avenue S
Suite 104
Minneapolis, MN 55420
(952) 641-1421 ext. 20

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/


Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130330/015fc6e7/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 20970 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130330/015fc6e7/attachment-0002.jpg>

More information about the Oisf-users mailing list