[Oisf-users] multiple alerts being logged to unified2
Peter Manev
petermanev at gmail.com
Mon Mar 2 12:53:56 UTC 2015
On Wed, Feb 25, 2015 at 3:34 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> Is there a way to tell suri to log a single alert per ‘event’. I am now seeing lots of cases where I get multiple alerts with different packet data for a single detection event. Most of these are for
Is it possible to give an example?
> rules where the detection would have occurred on the reassembled stream so I assume that suri just dumps the stream buffer because it does not know which packet the data was in.
>
> Many of these are for compressed content so the raw packet data is pretty useless anyway. Since I am now getting suri to log pcaps and sucking them into moloch (spooling them to /run/shm) If I want to look at the stream I can get it from moloch. BTW the packet capture spooled to moloch seems to work well but it is still early days.
>
> I am using both fast and unified2 outputs. I will probably soon move to eve and throw the lot in ES. Will that suffer from the multiple alerts too? I am guessing not since iirc eve does not log data by default.
The number of alerts would be the same in ES.
You can also make use of (filter on) the flow_id (very easy in
ES/Kibana) to correlate all available extra info for that particular
alert for example (http/dns records... and such)
>
> Russell
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list