[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2
Shane Boissevain
shaneboissevain at gmail.com
Tue Nov 15 21:31:02 UTC 2016
Howdy!
I'm having issues with some seemingly random alerts showing up in my
unified2 output (which is causes some barnyard2 issues down the road).
Basically, the below alert ends up in my unified2.alert file which causes
problems when barnyard2 goes to insert it into the database. The only way
it could have possibly ended up in that file is if suricata wrote the alert
there. But the strange thing is that the generator id = 2, and the
signature id = 1. I've looked through my ruleset, and it doesn't exist.
There is no mention of sid:1; anywhere, let alone gid:2;.
So my question is as follows: Where else could this alert be coming from?
Is there a preprocessor (or equivalent) in suricata I'm neglecting to
check? Where or what is my next step to start looking?
(Event)
> sensor id: 0 event id: 8193 event second: 1479151501
> event microsecond: 559244
> sig id: 1 gen id: 2 revision: 1
> classification: 0
> priority: 2 ip source: 10.0.0.1 ip destination: 192.168.1.100
> blocked: 0
> src port: 80 dest port: 62328 protocol: 6
> impact_flag: 0
> mpls label: None vlan id: None
>
> Packet
> sensor id: 0 event id: 8193 event second:
> 1479151501
> packet second: 1479151501 packet microsecond: 559244
> linktype: 1 packet_length: 66
Sincerely,
Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/1301b0fd/attachment.html>
More information about the Oisf-users
mailing list