[Oisf-users] Suricata Source and Destination IPs reversed on some alerts

Peter Manev petermanev at gmail.com
Wed Aug 24 13:14:37 UTC 2016


On Fri, Aug 19, 2016 at 9:21 PM, Jeff H <jeff61225 at gmail.com> wrote:
> I recently started running Suricata on the latest version of SELKS.
>
> I noticed that I am getting alerts that should only trigger on inbound
> traffic on outbound traffic.
>
> The traffic in this example was caused by me entering the IP in a web brower
> to generate this traffic.
>
> In this example the IPs in the alert entry are reversed from what I would
> think they should be. They are correct in the flow entry.
>
> http://pastebin.com/3uuFvFwP
>
> This next alert example is from the same host and it has what I would expect
> the source and destination to be
>
> http://pastebin.com/sQAmCMg8
>
> Any thoughts on what could be going on here?

Would it be possible to share a pcap that reproduces that case?

>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list