[Oisf-users] more on multiple packets logged for a single alert
Russell Fulton
r.fulton at auckland.ac.nz
Tue Oct 21 19:27:46 UTC 2014
Hi
Here is another example of where a single alert appears to have logged multiple packets:
SID CID Timestamp Signature IP Src IP Dst Proto Length
2 16938497 2014-10-21 16:18:21 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938498 2014-10-21 16:18:21 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938499 2014-10-21 16:18:21 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938500 2014-10-21 16:18:21 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1015
2 16938501 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938502 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938503 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938504 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938505 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938506 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 941
2 16938507 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938508 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938509 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938510 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938511 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938512 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 941
2 16938513 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938514 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938515 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938516 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938517 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938518 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 941
2 16938519 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938520 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938521 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938522 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938523 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 1500
2 16938524 2014-10-21 16:18:22 ET CURRENT_EVENTS PHISH Generic - Landing Page - saved from 202.49.144.218 130.216.121.84 6 941
2
note that the CIDs are contiguous. The first packet in each set has the offending pattern but all 6 packets are being logged.
this is 2.0.3.
BTW the wiki entry for this rule is incomplete with just half the rule text there.
http://doc.emergingthreats.net/bin/view/Main/2018334
Russell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141022/e9f9a31d/attachment.html>
More information about the Oisf-users
mailing list