[Oisf-users] wrong alert.action info in eve.json
Victor Julien
lists at inliniac.net
Fri Mar 14 08:21:47 UTC 2014
On 03/14/2014 09:17 AM, Stefan Sabolowitsch wrote:
> Hi all,
> with latest git version i get wrong „alert.action“ info in eve.json.
>
> rule tagged as „drop“:
>
> drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; content:
> suhosin.simulation"; http_uri; fast_pattern:only; pcre:"/\bsuhosin\.simulation\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21;
> classtype:trojan-activity; sid:2016979; rev:4;)
>
>
> and what i see in eve.json:
>
> "alert": {
> "action": "allowed",
> "gid": 1,
> "signature_id": 2016979,
> "rev": 4,
> "signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
> "category": "A Network Trojan was Detected",
> "severity": 1
> },
>
> and this before i make the upgrade to the latest git version:
>
> "alert": {
> "action": "wDrop",
> "gid": 1,
> "signature_id": 2016979,
> "rev": 4,
> "signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
> "category": "A Network Trojan was Detected",
> "severity": 1
> },
>
I think the current way is correct. 'wDrop' meant "would drop if in IPS
mode". But as you're not in IPS mode, it's not dropped, so allowed.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list