[Oisf-users] Recently started getting Applayer protocol alerts
Peter Manev
petermanev at gmail.com
Fri Jan 25 09:39:15 UTC 2019
On Tue, Jan 22, 2019 at 9:50 PM Orion Poplawski <orion at nwra.com> wrote:
>
> We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes. Recently
> (about the 12th or 13th it seems) we've started getting lots of "SURICATA
> Applayer Mismatch protocol both directions" and "SURICATA Applayer Detect
> protocol only one direction" alerts.
>
> Most of the "one direction" alerts seem to be for SMTP traffic - which
> according to https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
> expected. Any reason not to exclude ports 25, 465, 587 from these rules?
>
you can try excluding it and see/feedback how it goes?
> Most of the "both directions" messages seem to be for SMB port 445 traffic.
> Did something change recently for this kind of traffic?
>
Any possibility to share a pcap on that ?(privately if you would like too)
Thank you
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list