[Oisf-users] EVE JSON and Drops

Phil Daws uxbod at splatnix.net
Tue Apr 15 15:17:17 UTC 2014 

Yes that does indeed look the same issue.  Will try the patch.  Thank you.
----- Original Message -----
From: "Victor Julien" <lists at inliniac.net>
To: oisf-users at lists.openinfosecfoundation.org
Sent: Tuesday, 15 April, 2014 3:28:45 PM
Subject: Re: [Oisf-users] EVE JSON and Drops

On 04/15/2014 04:06 PM, Phil Daws wrote:
> Hello, 
> 
> I enabled EVE JSON support last night, which is working well, but have noticed something I don't understand. In the fast.log I see: 
> 
> 04/15/2014-14:56:35.791934 [Drop] [**] [1:2011716:3] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 37.220.8.50:5083 -> 123.123.123.123:5060 
> 
> but then in the JSON: 
> 
> { "_index": "logstash-2014.04.15" , "_type": "fluentd" , "_id": "rb4fHinLSBe7uYVutbRjVg" , "_score": null , "_source": { "timestamp": "2014-04-15T14:56:35.791934" , "event_type": "alert" , "src_ip": "37.220.8.50" , "src_port": 5083 , "dest_ip": "123.123.123.123" , "dest_port": 5060 , "proto": "UDP" , "alert": { "action": "allowed" , "gid": 1 , "signature_id": 2008578 , "rev": 4 , "signature": "ET SCAN Sipvicious Scan" , "category": "Attempted Information Leak" , "severity": 2 }, "city": null , "latitude": null , "longitude": null , "country_code3": null , "country": null , "country_name": null , "dma": null , "area": null , "region": null , "@timestamp": "2014-04-15T14:56:35+01:00" }, "sort": [ 1397573795791 ]
> } 
> 
> I was expecting that the JSON would have a event type of "drop" and not "alert" ?

Might be the same issue as
https://redmine.openinfosecfoundation.org/issues/1177

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list