[Oisf-users] suri logging all the packets for the session
Russell Fulton
r.fulton at auckland.ac.nz
Wed Nov 19 01:41:17 UTC 2014
I have been looking at this again. It seems to be logging 10 packets and it seems to occur with alerts that trigger when a file is sent “inline”.
Russell
On 8/11/2014, at 12:59 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> For some rules (e.g. ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside) I get a large chunk of the incoming packets logged:
>
> SID CID Timestamp Signature IP Src IP Dst Proto Length
> 3 21738471 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 70
> 3 21738472 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 86
> 3 21738473 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 78
> 3 21738474 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 76
> 3 21738475 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 74
> 3 21738476 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 74
> 3 21738477 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 76
> 3 21738478 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 79
> 3 21738479 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 75
> 3 21738480 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 46
> 3 21738481 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 1488
> 3 21738482 2014-11-07 13:13:55 ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in 195.154.140.201 130.216.125.245 6 1488
>
> The short packets at the start are the headers and the two large packets at the end are the start of body of the message. How much of the body gets logged is random in a few cases I am getting the whole lot. I.e. you get a short packet at the end with the MIME boundary at the end. Mostly I get two or three packets.
>
> I am curious to know what is going on. I can not see anything in the rule that would trigger this behaviour.
>
> Just found another example:
>
> SID CID Timestamp Signature IP Src IP Dst Proto Length
> 2 17853581 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 56
> 2 17853582 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 51
> 2 17853583 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 46
> 2 17853584 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 153
> 2 17853585 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 48
> 2 17853586 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 48
> 2 17853587 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 70
> 2 17853588 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 66
> 2 17853589 2014-11-07 13:05:08 GPL FTP SITE overflow attempt 128.39.65.26 130.216.31.100 6 56
>
> It is the fourth packet that triggered the alert. ( I thought I had disabled all the GPL FTP Overflow rules!)
>
> Running 2.0.3
>
> Russell
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list