[Oisf-users] EXTERNAL: Re: Making Suricata Alert Per Matching Packet

Rasmor, Zachary R zachary.r.rasmor at lmco.com
Tue Apr 12 14:51:05 UTC 2016


Hi Shane,

Good questions, I've had some similar ones myself and haven't totally gotten 
to the bottom of them yet. As a test, you might try adding "flow: no_stream" 
(for inspecting packets only) and "flow: only_stream" (for streams only) and 
seeing how your results change in each case.

Zach

________________________
Zach Rasmor
Email: zachary.r.rasmor at lmco.com
Office: 301.240.6116

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org]
On Behalf Of Cooper F. Nelson
Sent: Monday, April 11, 2016 6:32 PM
To: Shane Boissevain <shaneboissevain at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] Making Suricata Alert Per Matching Packet

Did you try the text-only alerts?

On 4/11/2016 3:30 PM, Shane Boissevain wrote:
> So i guess my refined-refined question is:
> Should the above "Test Rule 2" IP-Only Signature (with no thresholding
> in
> place) trip on every packet seen from 10.0.0.100, or only on the first
> packet of the session? It seems intuitive to me that it would trip on
> every packet, but this is not the behavior I'm experiencing.
>
> ~ Shane


--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7804 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160412/a69a30ef/attachment-0002.bin>


More information about the Oisf-users mailing list