[Oisf-users] IP Reputation Continual Alerting

[Kerry Milestone]

Hello,

I have a rule which looks like:

alert ip $REP_LOCAL_NET any -> any any (msg:"carnage - Internal host
talking to FirstCull"; flow:to_server; iprep:dst,FirstCull,=,10;
sid:987654; rev:1;)

However, I can't seem to work out the trigger.  The docs state that it
"will only be checked once per flow-direction."

but it seems that even though the flow_id is the same, it logs
continually - ie timestamps are increasing and log files become rather
inflated.

ie
from eve
{"timestamp":"2017-03-30T11:29:32.854735+0100","flow_id":1631837894758365,
.
.


from fast
03/30/2017-11:29:57.302824  [**] [1:987653:1] carnage - Internal host
talking to FirstCull [**] [Classification: (null)] [Priority: 3] {TCP}
x.x.x.x:50233 -> y.y.y.y:80
03/30/2017-11:29:57.312632  [**] [1:987653:1] carnage - Internal host
talking to FirstCull [**] [Classification: (null)] [Priority: 3] {TCP}
x.x.x.x:50233 -> y.y.y.y:80
03/30/2017-11:29:57.312764  [**] [1:987653:1] carnage - Internal host
talking to FirstCull [**] [Classification: (null)] [Priority: 3] {TCP}
x.x.x.x:50233 -> y.y.y.y:80
03/30/2017-11:29:57.317139  [**] [1:987653:1] carnage - Internal host
talking to FirstCull [**] [Classification: (null)] [Priority: 3] {TCP}
x.x.x.x:50233 -> y.y.y.y:80
03/30/2017-11:29:57.325609  [**] [1:987653:1] carnage - Internal host
talking to FirstCull [**] [Classification: (null)] [Priority: 3] {TCP}
x.x.x.x:50233 -> y.y.y.y:80
.
.


Have I missed something?  I've tried also setting the rule to alert on
tcp and udp, but similar results.

Running compiled from source suricata 3.2.1 on centos 7, hyperscan, pfring

Many thanks,
Kerry.

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.