[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2

Andreas Herz andi at geekosphere.org
Tue Nov 15 21:47:42 UTC 2016 

Hi,

did you activate the files.rules shipped with suricata?

There is this rule (but commented out by default):

#alert http any any -> any any (msg:"FILEEXT JPG file claimed";
fileext:"jpg"; sid:1; rev:1;)

That one has sid:1.

If not what version of suricata do you use and how exactly?
Can you reproduce it with a .pcap?

On 15/11/16 at 15:31, Shane Boissevain wrote:
> Howdy!
> 
> I'm having issues with some seemingly random alerts showing up in my
> unified2 output (which is causes some barnyard2 issues down the road).
> 
> Basically, the below alert ends up in my unified2.alert file which causes
> problems when barnyard2 goes to insert it into the database. The only way
> it could have possibly ended up in that file is if suricata wrote the alert
> there. But the strange thing is that the generator id = 2, and the
> signature id = 1. I've looked through my ruleset, and it doesn't exist.
> There is no mention of sid:1; anywhere, let alone gid:2;.
> 
> So my question is as follows: Where else could this alert be coming from?
> Is there a preprocessor (or equivalent) in suricata I'm neglecting to
> check? Where or what is my next step to start looking?
> 
> 
> 
> (Event)
> >      sensor id: 0      event id: 8193         event second: 1479151501
> >  event microsecond: 559244
> >         sig id: 1        gen id: 2                revision: 1
> >    classification: 0
> >       priority: 2     ip source: 10.0.0.1   ip destination: 192.168.1.100
> >           blocked: 0
> >       src port: 80    dest port: 62328            protocol: 6
> >       impact_flag: 0
> >     mpls label: None    vlan id: None
> >
> > Packet
> >         sensor id: 0                       event id: 8193    event second:
> > 1479151501
> >     packet second: 1479151501    packet microsecond: 559244
> >          linktype: 1                  packet_length: 66
> 
> 
> Sincerely,
> Shane Boissevain

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


-- 
Andreas Herz

More information about the Oisf-users mailing list