[Oisf-users] tcp.reassembly_gap
Victor Julien
lists at inliniac.net
Tue Jan 26 11:28:01 UTC 2016
On 26-01-16 11:32, Luke Whitworth wrote:
> Still sadly seeing some gaps in detection on Suricata that I'm not
> seeing in Snort on this host. Both Snort and Suricata are pulling from
> pfring, running side by side on the same server. If I check detections
> side by side:
>
> Snort
> GB 138.250.4.235 CN 140.207.217.32 ET TROJAN Possible
> Win32/Hupigon ip.txt with a Non-Mozilla UA 9:15 AM
> GB 138.250.128.17 GB 138.250.13.32 ET TROJAN Downloader User-Agent
> HTTPGET 9:35 AM
> GB 138.250.5.215 DE 46.33.68.72 ET CURRENT_EVENTS Fake Virus
> Phone Scam Landing Nov 16 9:41 AM
> GB 138.250.72.201 -- 104.66.229.96 ET CURRENT_EVENTS Terse
> alphanumeric executable downloader hig... 9:49 AM
>
> Suricata
> 01/26/2016-09:15:14.166186 [**] [1:2016950:2] ET TROJAN Possible
> Win32/Hupigon ip.txt with a Non-Mozilla UA [**] [Classification: A
> Network Trojan was detected] [Priority: 1] {TCP} 138.250.4.235:63342
> <http://138.250.4.235:63342> -> 115.159.15.29:80 <http://115.159.15.29:80>
> 01/26/2016-09:41:37.799048 [**] [1:2022103:2] ET CURRENT_EVENTS Fake
> Virus Phone Scam Landing Nov 16 [**] [Classification: A Network Trojan
> was detected] [Priority: 1] {TCP} 138.250.5.215:58869
> <http://138.250.5.215:58869> -> 46.33.68.72:80 <http://46.33.68.72:80>
> 01/26/2016-09:49:24.287326 [**] [1:2019714:3] ET CURRENT_EVENTS Terse
> alphanumeric executable downloader high likelihood of being hostile [**]
> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
> 138.250.72.201:65131 <http://138.250.72.201:65131> -> 104.66.229.96:80
> <http://104.66.229.96:80>
>
> So for some reason Snort managed to detect the event at 9:35 AM that
> Suricata didn't. I'm having a bit of trouble getting to the bottom of
> why this might be the case. Does anyone have any suggestions for me
> where to start?
Pcap would be useful of course :)
Also, can you share a full section of your stats.log?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list