[Oisf-users] suri logging all the packets for the session

Russell Fulton r.fulton at auckland.ac.nz
Thu Nov 20 20:52:35 UTC 2014 

Can someone please confirm whether or not this is expected behaviour.

I have found an some examples today where multiple packets were logged but I could not find the patterns that triggered the alerts in the logged packets.  THe packets logged were the last X of the session 

If this is not expected behaviour then does anyone have any suggestions for diagnosing what is going on.

Russell 

On 19/11/2014, at 2:41 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> I have been looking at this again.  It seems to be logging 10 packets and it seems to occur with alerts that trigger when a file is sent “inline”.
> 
> Russell
> 
> On 8/11/2014, at 12:59 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
>> Hi
>> 
>> For some rules (e.g. ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside)  I get a large chunk of the incoming packets logged:
>> 
>> SID	CID		Timestamp		Signature								IP Src		IP Dst		Proto	Length
>> 3	21738471	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	70	
>> 3	21738472	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	86	
>> 3	21738473	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	78	
>> 3	21738474	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	76	
>> 3	21738475	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	74	
>> 3	21738476	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	74	
>> 3	21738477	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	76	
>> 3	21738478	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	79	
>> 3	21738479	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	75	
>> 3	21738480	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	46	
>> 3	21738481	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	1488	
>> 3	21738482	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	1488	
>> 
>> The short packets at the start are the headers and the two large packets at the end are the start of body of the message. How much of the body gets logged is random in a few cases I am getting the whole lot.  I.e. you get a short packet at the end with the MIME boundary at the end.  Mostly I get two or three packets.
>> 
>> I am curious to know what is going on.  I can not see anything in the rule that would trigger this behaviour.
>> 
>> Just found another example:
>> 
>> SID	CID		Timestamp		Signature				IP Src		IP Dst		Proto	Length
>> 2	17853581	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	56	
>> 2	17853582	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	51	
>> 2	17853583	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	46	
>> 2	17853584	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	153	
>> 2	17853585	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	48	
>> 2	17853586	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	48	
>> 2	17853587	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	70	
>> 2	17853588	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	66	
>> 2	17853589	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	56	
>> 
>> It is the fourth packet that triggered the alert.  ( I thought I had disabled all the GPL FTP Overflow rules!)
>> 
>> Running 2.0.3
>> 
>> Russell
>> 
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list