[Oisf-users] Question about rule handling

Peter Manev petermanev at gmail.com
Tue May 8 06:37:08 UTC 2018

On Mon, May 7, 2018 at 7:49 PM, Pildesapo2 <pildesapo2 at protonmail.com> wrote:
> Hello,
> I am trying to trigger an alert when someone tries to do a root login on a
> mysql server. So I created a simple rule which should trigger on a login
> request using the "content" option. When I test the rule, the alert triggers
> only at the moment when I quit the mysql session, not on the start of the
> session at the login request. Why is this? It looks like Suricata handles
> the alerts per flow, and not per packet. The rule looks like this:
> alert tcp any any <> any 3306 (msg:"MYSQL root login attempt"; content:"|6d
> 79 73 71 6C|"; sid:1000004;)

Can you please share how do you do the test and what Suricata version you use?

Peter Manev

More information about the Oisf-users mailing list