[Oisf-users] Packet not dropped?
James Moe
jimoe at sohnen-moe.com
Sun Nov 18 18:33:27 UTC 2018
On 17/11/2018 5.06 PM, Andreas Herz wrote:
> Can you share how you are running suricata?
>
/usr/local/bin/suricata -v --pidfile /data01/var/run/suricata.pid -c
/usr/local/etc/suricata/suricata.yaml -q 0
> Which configuration are you using?
>
$ suricata --build-info
This is Suricata version 4.1.0 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG
LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON TLS MAGIC
RUST
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 7.3.1 20180323 [gcc-7-branch revision 258812], C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: no
libnspr support: no
libjansson support: yes
liblzma support: no
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Rust support: yes (default)
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.24.1
Rust cargo: cargo 0.26.0
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -march=native
-I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
> Are the rules changed from alert to drop?
>
Yes.
drop ip any any -> any any (msg:"SURICATA Applayer Detect protocol only
one direction"; flow:established;
app-layer-event:applayer_detect_protocol_only_one_direction;
flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode;
sid:2260002; rev:1;)
The original post showed the log entry with "[DROP]" in it. Yet the
Alert entry showed the entry was not dropped.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181118/4ac99c00/attachment.sig>
More information about the Oisf-users
mailing list