[Oisf-users] Question about rule handling

Pildesapo2 pildesapo2 at protonmail.com
Mon May 7 17:49:11 UTC 2018

I am trying to trigger an alert when someone tries to do a root login on a mysql server. So I created a simple rule which should trigger on a login request using the "content" option. When I test the rule, the alert triggers only at the moment when I quit the mysql session, not on the start of the session at the login request. Why is this? It looks like Suricata handles the alerts per flow, and not per packet. The rule looks like this:
alert tcp any any <> any 3306 (msg:"MYSQL root login attempt"; content:"|6d 79 73 71 6C|"; sid:1000004;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180507/5e6891cd/attachment.html>

More information about the Oisf-users mailing list