[Oisf-users] Making Suricata Alert Per Matching Packet
Shane Boissevain
shaneboissevain at gmail.com
Mon Apr 11 21:44:46 UTC 2016
Coop,
Thank's for the speedy reply. I've confirmed that by playing with the flags
option i can get suricata to trip on the desired 18 packets.
However, I suppose my question isn't so much as "how do i get this to trip
on these packets" and more of why doesn't that signature trip on all of
these packets?
For example, if i add a reputation alert (based off of those found at
Emerging Threat's drop.rules file:
alert ip 10.0.0.100 any -> any any (msg:"TEST Rule 2";
> classtype:misc-attack; sid:9000002; rev:1;)
I would expect there to be 20 alerts tripped, as I send 20 packets that
have the source ip of 10.0.0.100 (as verified below):
# tcpdump -nr test.pcap src net 10.0.0.100 | wc
> 20 lines
However, I only see 5 total alerts...verified by:
# u2spewfoo unified2.alert.1460410545 | grep '(Event)' | wc
> 5 lines
~ Shane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/e653dab1/attachment-0002.html>
More information about the Oisf-users
mailing list