[Oisf-users] Making Suricata Alert Per Matching Packet

Shane Boissevain shaneboissevain at gmail.com
Mon Apr 11 21:44:46 UTC 2016


Thank's for the speedy reply. I've confirmed that by playing with the flags
option i can get suricata to trip on the desired 18 packets.

However, I suppose my question isn't so much as "how do i get this to trip
on these packets" and more of why doesn't that signature trip on all of
these packets?

For example, if i add a reputation alert (based off of those found at
Emerging Threat's drop.rules file:

alert ip any -> any any (msg:"TEST Rule 2";
> classtype:misc-attack; sid:9000002; rev:1;)

I would expect there to be 20 alerts tripped, as I send 20 packets that
have the source ip of (as verified below):

# tcpdump -nr test.pcap src net | wc
>      20 lines

However, I only see 5 total alerts...verified by:

# u2spewfoo unified2.alert.1460410545  | grep '(Event)' | wc
>       5 lines

~ Shane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/e653dab1/attachment-0002.html>

More information about the Oisf-users mailing list