[Oisf-users] duplicate alert messages

Francis Trudeau ftrudeau at emergingthreats.net
Fri Mar 3 17:11:51 UTC 2017 

This rule:

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL
SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
classtype:shellcode-detect; sid:2101390; rev:6;)

Is an IP rule.  It will alert per packet.  There's 63 packets that match
that content in your pcap and I get 63 alerts here.

That being said, shellcode rules are notoriously noisy.  I would either
disable those, or negate more ports from your $SHELLCODE_PORTS variable in
your Suricata yaml.


On Thu, Mar 2, 2017 at 11:30 PM, 박경호 <pgh5247 at naver.com> wrote:

>
>
> I try to use the suricata(version 3.2.0) to IDS mode to read and
> process multi-pcap files.
>
> when i checked the alert messages in fast.log, same alert message were so
> many like below.
>
> As i know, the suricata process the flow for the packets.
>
> One message should be only alerted, in situation which it's transfered for
> packets with same tuple(source ip/port, destination ip/port, protocol)
> continuously.
>
> But, it's different for testing result.
>
> (test pcap : https://drive.google.com/file/d/0B4Mdb8bpuRlneS00bFoyWVZwMkk/
> view?usp=sharing )
>
> [suricata.yaml] for flow-timeout
>
> tcp:
>
> new: 1800
>
> established: 15
>
> closed: 0
>
> bypassed: 100
>
>
>
> 02/23/2017-15:22:53.000610  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:53.000635  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:53.000655  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:53.000755  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:54.000126  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:54.000496  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:54.000517  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:54.000553  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:54.000594  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:55.000443  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:55.000489  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:55.000999  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000054  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000393  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000563  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000627  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000658  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000684  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000702  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000731  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
> 02/23/2017-15:22:56.000762  [**] [1:2101390:6] GPL SHELLCODE x86 inc ebx
> NOOP [**] [Classification: Executable code was detected] [Priority: 1]
> {TCP} 211.188.203.33:8012 -> 210.125.145.148:48927
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170303/a2ce8164/attachment-0002.html>

More information about the Oisf-users mailing list