[Oisf-users] duplicate alert messages
박경호
pgh5247 at naver.com
Fri Mar 3 06:30:08 UTC 2017
I try to use the suricata(version 3.2.0) to IDS mode to read and process multi-pcap files.
when i checked the alert messages in fast.log, same alert message were so many like below.
As i know, the suricata process the flow for the packets.
One message should be only alerted, in situation which it's transfered for packets with same tuple(source ip/port, destination ip/port, protocol) continuously.
But, it's different for testing result.
(test pcap : https://drive.google.com/file/d/0B4Mdb8bpuRlneS00bFoyWVZwMkk/view?usp=sharing )
[suricata.yaml] for flow-timeout
tcp:
new: 1800
established: 15
closed: 0
bypassed: 100
02/23/2017-15:22:53.000610 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:53.000635 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:53.000655 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:53.000755 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:54.000126 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:54.000496 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:54.000517 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:54.000553 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:54.000594 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:55.000443 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:55.000489 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:55.000999 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000054 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000393 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000563 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000627 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000658 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000684 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000702 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000731 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
02/23/2017-15:22:56.000762 [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170303/ca0b6fa8/attachment.html>
More information about the Oisf-users
mailing list