[Oisf-users] Multiple alerts

Doug Burks doug.burks at gmail.com
Thu Feb 25 11:42:44 UTC 2016


Hi Luke,

Have you considered the barnyard2 option called
"--disable-alert-on-each-packet-in-stream"?

On Thu, Feb 25, 2016 at 3:56 AM, Luke Whitworth <l.a.whitworth at gmail.com> wrote:
> Hi all,
>
> I have my sensors all up and running, capturing traffic and alerting out
> through barnyard2 to snorby.  Issue I have is that most alerts come through
> multiple times, for example:
>
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:01 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:01 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:01 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:01 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
> RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet Tag
> In Edwards Packed JavaScript 8:00 AM
>
> The payload for each of these alerts is different so I'm guessing it's
> Suricata alerting on the various packets that made up the suspicious flow,
> but this does make it pretty hard to wade through.  Ideally I'd like
> Suricata to alert once for the entire flow, ideally with the entire flow
> payload attached to the one event.
>
> Is this possible?  Or am I missing/misunderstanding something fairly
> fundamental?
>
> Cheers,
>
> Luke
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Doug Burks
http://securityonion.net



More information about the Oisf-users mailing list