[Oisf-users] Multiple alerts
Luke Whitworth
l.a.whitworth at gmail.com
Thu Feb 25 08:56:41 UTC 2016
Hi all,
I have my sensors all up and running, capturing traffic and alerting out
through barnyard2 to snorby. Issue I have is that most alerts come through
multiple times, for example:
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:01 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:01 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:01 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:01 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
RESNET-S 149.202.1.123 GB 138.250.xxx.xx ET CURRENT_EVENTS - Applet Tag
In Edwards Packed JavaScript 8:00 AM
The payload for each of these alerts is different so I'm guessing it's
Suricata alerting on the various packets that made up the suspicious flow,
but this does make it pretty hard to wade through. Ideally I'd like
Suricata to alert once for the entire flow, ideally with the entire flow
payload attached to the one event.
Is this possible? Or am I missing/misunderstanding something fairly
fundamental?
Cheers,
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160225/9998770b/attachment-0001.html>
More information about the Oisf-users
mailing list