[Oisf-users] wrong alert.action info in eve.json
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Fri Mar 14 08:17:27 UTC 2014
Hi all,
with latest git version i get wrong „alert.action“ info in eve.json.
rule tagged as „drop“:
drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; content:
suhosin.simulation"; http_uri; fast_pattern:only; pcre:"/\bsuhosin\.simulation\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21;
classtype:trojan-activity; sid:2016979; rev:4;)
and what i see in eve.json:
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2016979,
"rev": 4,
"signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
"category": "A Network Trojan was Detected",
"severity": 1
},
and this before i make the upgrade to the latest git version:
"alert": {
"action": "wDrop",
"gid": 1,
"signature_id": 2016979,
"rev": 4,
"signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
"category": "A Network Trojan was Detected",
"severity": 1
},
regards
Stefan
More information about the Oisf-users
mailing list