[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2

Shane Boissevain shaneboissevain at gmail.com
Tue Nov 15 22:06:18 UTC 2016


Thanks for your quick reply!

I am running my own ruleset (emerging-threats' current_events.rules,
exploit.rules, malware.rules, mobile_malware.rules, scan.rules,
trojan.rules, and worm.rules). So no, the default files are not active, and
that named alert is not present.

What I find completely baffling is the generator id of 2. I thought that
suricata default all alerts to 1, unless the gid modifier was present in a
rule (a quick grep shows that it is not).

Suricata is running inline as a detection engine on the edge of my network.
It's version is below

> # suricata -V
> This is Suricata version 3.0.2 RELEASE

I'm currently unable to reproduce it with a pcap. I am less interested in
the traffic that caused the alert than I am in discovering where the rule's
source came from / is.

Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161115/d470287a/attachment-0002.html>

More information about the Oisf-users mailing list