[Oisf-users] more on multiple packets logged for a single alert

Russell Fulton r.fulton at auckland.ac.nz
Tue Oct 21 19:27:46 UTC 2014 

Hi

Here is another example of where a single alert appears to have logged multiple packets:
SID	CID	Timestamp		Signature		IP Src		IP Dst		Proto	Length
2	16938497	2014-10-21 16:18:21	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938498	2014-10-21 16:18:21	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938499	2014-10-21 16:18:21	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938500	2014-10-21 16:18:21	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1015	
2	16938501	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938502	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938503	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938504	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938505	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938506	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	941	
2	16938507	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938508	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938509	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938510	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938511	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938512	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	941	
2	16938513	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938514	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938515	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938516	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938517	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938518	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	941	
2	16938519	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938520	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938521	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938522	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938523	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	1500	
2	16938524	2014-10-21 16:18:22	ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 		202.49.144.218	130.216.121.84	6	941	
2
note that the CIDs are contiguous.  The first packet in each set has the offending pattern but all 6 packets are being logged.

this is 2.0.3.

BTW the wiki entry for this rule is incomplete with just half the rule text there.
http://doc.emergingthreats.net/bin/view/Main/2018334

Russell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141022/e9f9a31d/attachment.html>

More information about the Oisf-users mailing list