[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2
Shane Boissevain
shaneboissevain at gmail.com
Tue Nov 15 22:06:18 UTC 2016
Andreas,
Thanks for your quick reply!
I am running my own ruleset (emerging-threats' current_events.rules,
exploit.rules, malware.rules, mobile_malware.rules, scan.rules,
trojan.rules, and worm.rules). So no, the default files are not active, and
that named alert is not present.
What I find completely baffling is the generator id of 2. I thought that
suricata default all alerts to 1, unless the gid modifier was present in a
rule (a quick grep shows that it is not).
Suricata is running inline as a detection engine on the edge of my network.
It's version is below
> # suricata -V
> This is Suricata version 3.0.2 RELEASE
I'm currently unable to reproduce it with a pcap. I am less interested in
the traffic that caused the alert than I am in discovering where the rule's
source came from / is.
Sincerely,
Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/d470287a/attachment-0002.html>
More information about the Oisf-users
mailing list