[Oisf-users] Strange Alerts with sig_id=1 and gen_id=2

Jason Ish lists at unx.ca
Tue Nov 15 22:14:47 UTC 2016 

On Tue, Nov 15, 2016 at 3:31 PM, Shane Boissevain
<shaneboissevain at gmail.com> wrote:
> Howdy!
>
> I'm having issues with some seemingly random alerts showing up in my
> unified2 output (which is causes some barnyard2 issues down the road).
>
> Basically, the below alert ends up in my unified2.alert file which causes
> problems when barnyard2 goes to insert it into the database. The only way it
> could have possibly ended up in that file is if suricata wrote the alert
> there. But the strange thing is that the generator id = 2, and the signature
> id = 1. I've looked through my ruleset, and it doesn't exist. There is no
> mention of sid:1; anywhere, let alone gid:2;.
>
> So my question is as follows: Where else could this alert be coming from? Is
> there a preprocessor (or equivalent) in suricata I'm neglecting to check?
> Where or what is my next step to start looking?
>
>
>
>> (Event)
>>      sensor id: 0      event id: 8193         event second: 1479151501
>> event microsecond: 559244
>>         sig id: 1        gen id: 2                revision: 1
>> classification: 0
>>       priority: 2     ip source: 10.0.0.1   ip destination: 192.168.1.100
>> blocked: 0
>>       src port: 80    dest port: 62328            protocol: 6
>> impact_flag: 0
>>     mpls label: None    vlan id: None
>>
>> Packet
>>         sensor id: 0                       event id: 8193    event second:
>> 1479151501
>>     packet second: 1479151501    packet microsecond: 559244
>>          linktype: 1                  packet_length: 66

This is caused by a rule with the "tag" keyword. Tagging causes
additional packets to be logged in addition to the alert triggering
packet. Unfortunately Suricata does not follow the way Snort does this
with unified2 output, but does it more like Snort's unified1 output
where tagged packets were logged as an event with gid:2, sid:1.

Technically its a fully valid event with the exception that no rule
exists for it. Can you tell me more about what issues Barnyard2 is
having with it?  I wouldn't expect any unified2 processing tools to
have an issue with it.

Jason

More information about the Oisf-users mailing list