[Oisf-users] Multiple alerts

Thu Feb 25 11:54:01 UTC 2016

Hi Doug,

I haven't.....however I get the feeling I very much should!  Will have a
look and give it a go.

Many thanks,

Luke

On 25 February 2016 at 11:42, Doug Burks <doug.burks at gmail.com> wrote:

> Hi Luke,
>
> Have you considered the barnyard2 option called
> "--disable-alert-on-each-packet-in-stream"?
>
> On Thu, Feb 25, 2016 at 3:56 AM, Luke Whitworth <l.a.whitworth at gmail.com>
> wrote:
> > Hi all,
> >
> > I have my sensors all up and running, capturing traffic and alerting out
> > through barnyard2 to snorby.  Issue I have is that most alerts come
> through
> > multiple times, for example:
> >
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:01 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:01 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:01 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:01 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> > RESNET-S  149.202.1.123 GB  138.250.xxx.xx  ET CURRENT_EVENTS - Applet
> Tag
> > In Edwards Packed JavaScript 8:00 AM
> >
> > The payload for each of these alerts is different so I'm guessing it's
> > Suricata alerting on the various packets that made up the suspicious
> flow,
> > but this does make it pretty hard to wade through.  Ideally I'd like
> > Suricata to alert once for the entire flow, ideally with the entire flow
> > payload attached to the one event.
> >
> > Is this possible?  Or am I missing/misunderstanding something fairly
> > fundamental?
> >
> > Cheers,
> >
> > Luke
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
>
> --
> Doug Burks
> http://securityonion.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160225/51949d84/attachment-0002.html>