[Oisf-users] Suricata Source and Destination IPs reversed on some alerts

Jeff H jeff61225 at gmail.com
Thu Aug 25 15:21:36 UTC 2016


Hi Peter,
I think we got this sorted out. It was user error/confusion on my part.
There is a difference in the behavior of this rule in Snort vs Suricata
(which ET says they are discussing internally) and I mistakenly overlooked
the fact that the rule is stateless.

Jeff

On Wed, Aug 24, 2016 at 6:14 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Fri, Aug 19, 2016 at 9:21 PM, Jeff H <jeff61225 at gmail.com> wrote:
> > I recently started running Suricata on the latest version of SELKS.
> >
> > I noticed that I am getting alerts that should only trigger on inbound
> > traffic on outbound traffic.
> >
> > The traffic in this example was caused by me entering the IP in a web
> brower
> > to generate this traffic.
> >
> > In this example the IPs in the alert entry are reversed from what I would
> > think they should be. They are correct in the flow entry.
> >
> > http://pastebin.com/3uuFvFwP
> >
> > This next alert example is from the same host and it has what I would
> expect
> > the source and destination to be
> >
> > http://pastebin.com/sQAmCMg8
> >
> > Any thoughts on what could be going on here?
>
> Would it be possible to share a pcap that reproduces that case?
>
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160825/02963d93/attachment-0002.html>


More information about the Oisf-users mailing list