[Oisf-users] wrong alert.action info in eve.json

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Fri Mar 14 08:28:57 UTC 2014 

Hi Victor
no, suri running in IPS mode an i get drop infos with eve.json

please look here:
   "type": "suricata",
   "received_at": "2014-03-14 09:19:45 +0100",
   "event_type": "drop",
   "src_ip": "88.212.196.87",
   "src_port": 53,
   "proto": "UDP",
   "drop": {
     "len": 329,
     "tos": 0,
     "ttl": 53,
     "ipid": 56722,
     "udplen": 309
   },



Am 14.03.2014 um 09:21 schrieb Victor Julien <lists at inliniac.net>:

> On 03/14/2014 09:17 AM, Stefan Sabolowitsch wrote:
>> Hi all,
>> with latest git version i get wrong „alert.action“ info in eve.json.
>> 
>> rule tagged as „drop“:
>> 
>> drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; content:
>> suhosin.simulation"; http_uri; fast_pattern:only; pcre:"/\bsuhosin\.simulation\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21;
>> classtype:trojan-activity; sid:2016979; rev:4;)
>> 
>> 
>> and what i see in eve.json:
>> 
>>   "alert": {
>>     "action": "allowed",
>>     "gid": 1,
>>     "signature_id": 2016979,
>>     "rev": 4,
>>     "signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
>>     "category": "A Network Trojan was Detected",
>>     "severity": 1
>>   },
>> 
>> and this before i make the upgrade to the latest git version:
>> 
>>   "alert": {
>>     "action": "wDrop",
>>     "gid": 1,
>>     "signature_id": 2016979,
>>     "rev": 4,
>>     "signature": "ET WEB_SERVER suhosin.simulation PHP config option in uri",
>>     "category": "A Network Trojan was Detected",
>>     "severity": 1
>>   },
>> 
> 
> I think the current way is correct. 'wDrop' meant "would drop if in IPS
> mode". But as you're not in IPS mode, it's not dropped, so allowed.
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>

More information about the Oisf-users mailing list