[Oisf-users] Recently started getting Applayer protocol alerts
Orion Poplawski
orion at nwra.com
Tue Jan 22 20:50:50 UTC 2019
We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes. Recently
(about the 12th or 13th it seems) we've started getting lots of "SURICATA
Applayer Mismatch protocol both directions" and "SURICATA Applayer Detect
protocol only one direction" alerts.
Most of the "one direction" alerts seem to be for SMTP traffic - which
according to https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
expected. Any reason not to exclude ports 25, 465, 587 from these rules?
Most of the "both directions" messages seem to be for SMB port 445 traffic.
Did something change recently for this kind of traffic?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
More information about the Oisf-users
mailing list