[Oisf-users] Where is info on the meaning of alerts?

Victor Julien lists at inliniac.net
Mon May 11 08:31:03 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/10/2015 09:23 AM, James Moe wrote:
> Hello, suricata 2.0.7
> 
> Where can find information about alerts? In particular: - What is
> the alert is about? - Why is the alert is significant?
> 
> For instance, "SURICATA STREAM ESTABLISHED retransmission packet 
> before last ack". What is significant about the retransmission? Why
> is it considered dubious?

Normally data shouldn't be retransmitted after it has been ack'd. This
is probably one to disable, as it's sensitive to packet loss. Also, if
the ACK got lost after the IDS saw it, but before the end host would
get it, then it would be a false positive.

> Or "SURICATA HTTP Host header ambiguous". I cannot even parse that
> one.

In HTTP the host can be set in 2 ways:

- - on the URL, e.g. 'GET http://somehost/index.html HTTP/1.1'
- - in the Host Header, e.g.:
GET /index.html HTTP/1.1
Host: somehost

If the are both present, but have different values, then this rule
triggers.

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVUGjBAAoJEMH0leOSaFa0B1sH/iovJOJy2bfOsT240Er7hObi
+5LB8WbLUZoBOb2sp1CeZRBdlFIyYgisCbyKdpUIQyGNF8T44vYNVbF9rt2yjoFh
eTXQYCgvHyJqhzFr1zNBgOzdltdz9ItZsPSEy+z60OFQw9leB0UzPo959uiJc3y7
tDX9lx2AYfSGUnU/JiHQ/vsceCiCyyv3bdpzc9hnx0Ej+Udm/Pj+GmYtxaPtjDcb
QFOT030MA/1H2ek1bfS7/heXTh8PBdDcdt8QZwyx1d0qv+JDy8KtW3/P961zMqTn
ZSHt6pkj0AOxGlbFwGebiUkUe8AHSGhuMf6LwVhQZ2xzErGrXiuyJI/3xkNBt/w=
=pe4a
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list