[Oisf-users] Making Suricata Alert Per Matching Packet

Cooper F. Nelson cnelson at ucsd.edu
Mon Apr 11 21:02:03 UTC 2016

If suricata works like snort in this regard, you should be able to do
something like this:

> alert any 55582 -> any 80 (flags: SFRPAU; msg: "Test Rule";)


On 4/11/2016 1:46 PM, Shane Boissevain wrote:
> Issue in question is that Suricata only alerts once per stream (i think)
> instead of once per packet.
> To test this, i tcpdumped a connection to google and rewrote it via
> tcprewrite, and sent it through suricata via tcpreplay. This allows me to
> write an incredibly simple alert, that trips based on port:
>> > alert tcp any 55582 -> any 80 (msg:"Test Rule";
>> > classification:policy-violation; sid:9000000; rev:1;)

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/c729e6ec/attachment-0002.sig>

More information about the Oisf-users mailing list