[Oisf-users] Question about rule handling
Pildesapo2
pildesapo2 at protonmail.com
Mon May 7 17:49:11 UTC 2018
Hello,
I am trying to trigger an alert when someone tries to do a root login on a mysql server. So I created a simple rule which should trigger on a login request using the "content" option. When I test the rule, the alert triggers only at the moment when I quit the mysql session, not on the start of the session at the login request. Why is this? It looks like Suricata handles the alerts per flow, and not per packet. The rule looks like this:
alert tcp any any <> any 3306 (msg:"MYSQL root login attempt"; content:"|6d 79 73 71 6C|"; sid:1000004;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180507/5e6891cd/attachment.html>
More information about the Oisf-users
mailing list