[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2

Shane Boissevain shaneboissevain at gmail.com
Tue Nov 15 21:31:02 UTC 2016


I'm having issues with some seemingly random alerts showing up in my
unified2 output (which is causes some barnyard2 issues down the road).

Basically, the below alert ends up in my unified2.alert file which causes
problems when barnyard2 goes to insert it into the database. The only way
it could have possibly ended up in that file is if suricata wrote the alert
there. But the strange thing is that the generator id = 2, and the
signature id = 1. I've looked through my ruleset, and it doesn't exist.
There is no mention of sid:1; anywhere, let alone gid:2;.

So my question is as follows: Where else could this alert be coming from?
Is there a preprocessor (or equivalent) in suricata I'm neglecting to
check? Where or what is my next step to start looking?

>      sensor id: 0      event id: 8193         event second: 1479151501
>  event microsecond: 559244
>         sig id: 1        gen id: 2                revision: 1
>    classification: 0
>       priority: 2     ip source:   ip destination:
>           blocked: 0
>       src port: 80    dest port: 62328            protocol: 6
>       impact_flag: 0
>     mpls label: None    vlan id: None
> Packet
>         sensor id: 0                       event id: 8193    event second:
> 1479151501
>     packet second: 1479151501    packet microsecond: 559244
>          linktype: 1                  packet_length: 66

Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/1301b0fd/attachment.html>

More information about the Oisf-users mailing list